• curl -u osint9:bookl43wt -0 https://inteltechniques.com/osintbook9/ff-
template.zip
• unzip ff-template.zip -d -/.mozilla/firefox/
• cd -/.mozilla/firefox/ff-template/
• cp -R * -/.mozilla/firefox/*.default-release
• cd -/Desktop
• curl —u osint9:bookl43wt -0
https: //inteltechniques. com/osintbook9/tools. zip
• unzip tools.zip -d -/Desktop/
• rm tools.zip ff-template.zip
You should now possess a virtual machine which includes ever}’ script, icon, shortcut, application, and
configuration discussed within this book so far. While you may feel tempted to play around with your new VM,
please don t. We want to keep it clean and have more work to finish. If you launch your Applications menu, you
should see new programs and scripts as previously explained. Figure 5.01 disppllaayy*s a small portion of the menu.
® @ © © A O
Ubuntu Software UpdateScrlofc Username/Ema.. Video Downloa... Video StreamT— Video Utilities
Figure 5.01: A custom Ubuntu Applications menu with new apps.
OSINT VM Tools-Advanced
Next, lets apply the "advanced" settings which are explained later in the book. We want a complete machine
which can be locked-in" for future use. The following steps prepare your VM for future chapters.
• cd -/Downloads/Programs
• git clone https://github.com/lanmaster53/recon-ng.git
• cd recon-ng
• sudo -H pip install -r 1REQUIREMENTS -I
• cd -/Downloads/Programs
• git clone https://github.com/smicallef/spiderfoot.git
• cd spiderfoot
• sudo -H pip install -r requirements.txt -I
• cd -/Downloads/Programs
• git clone https://github.com/AmIJesse/Elasticsearch-Crawler.git
• sudo -H pip install nested-lookup -I
• sudo -H pip install internetarchive -I
• sudo apt install -y ripgrep
• sudo -H pip install waybackpy -I
• sudo -H pip install search-that-hash -I
• sudo -H pip install h8mail -I
• cd -/Downloads
• h8mail -g
• sed -i 's/\;leak\-lookup\_pub/leak\-lookup\_pub/g' h8mail_config.ini
• cd -/Downloads/Programs
• git clone https://github.com/mxrch/ghunt
• cd ghunt
• sudo -H pip install -r requirements.txt -I
92 Chapter 5
You should now have an OSINT VM which is ready for the Advanced Linux techniques discussed much later
in the book. It will be convenient to maintain a single OSINT VM which is applicable to this entire book instead
of "Basic” and "Advanced" versions. We have a lot to get through before we are ready for the advanced section,
but we will be able to pick up where we left off without any additional installation or configuration. We can
focus only on the usage of these tools without redundant explanation of script creation, icon placement, and
desktop shortcuts.
Your Linux Ubuntu VM is now completely functional but not very pretty. You might prefer it this way. Many
Linux experts enjoy the bland look and requirements to hunt for features as needed. 1 do not The next section
simplifies several modifications to the graphical interface.
OSINT VM Interface Configuration
Now that your VM contains numerous custom scripts and applications, you may want to customize the
appearance. You could open the Applications menu, right-click on each new OSINT shortcut, and add them to
your Dock, but that is very time-consuming. The following commands change the background; clear the entire
Dock; adjust the Dock position; place all desktop shortcuts within your Dock for easy access; and decrease the
icon size. T'hTese'clom-m.annr>dcs narrne iinnrc-ll1u1d<4ed iinn tthnpe pnrrpeivzimouiisclltyr mmpennftiionnnpedd ""llilnnuuvx.trxvtf" ftiil1ea».
• gsettings set org.gnome.desktop.background picture-uri 11
• gsettings set org.gnome.desktop.background primary-color 'rgb(66, 81,
100) '
• gsettings set org.gnome.shell favorite-apps []
• gsettings set org.gnome.shell.extensions.dash-to-dock dock-position
BOTTOM
• gsettings set org.gnome.shell favorite-apps " [ ’firefox.desktop’,
'google-chrome.desktop', ’torbrowser.desktop’,
' org. gnome. Nautilus. desktop ’, ’ org. gnome. Terminal. desktop',
’updates.desktop', 'tools.desktop', ' youtube_dl.desktop',
'ffmpeg.desktop', 'streamlink.desktop', • instagram.desktop',
'gallery.desktop’, 'usertool.desktop', 'eyewitness.desktop',
'domains.desktop', 'metadata.desktop', 'httrack.desktop',
'metagoofil.desktop', 'elasticsearch.desktop', 'reddit.desktop',
'internetarchive.desktop', 'spiderfoot.desktop', 'recon-ng.desktop',
'mediainfo-gui.desktop', 'google-earth-pro.desktop', 'kazam.desktop',
' keepassxc_keepassxc. desktop', ' gnome-control-center.desktop' ] "
• gsettings set org.gnome.shell.extensions.dash-to-dock dash-max-icon-size
32
You should now possess a final OSINT VM ready to clone for any investigation. Keep this machine updated
and only use it to clone into additional machines for each investigation. Never browse the internet or conduct
any investigations from within this clean VM. At the time of this writing, 1 possessed three VMs within
VirtualBox, as follows, and seen in Figures 5.02 and 5.03.
• OSINT Original: My final VM which is the source of any clones used for investigations. I keep it
updated and apply any changes as needed.
• Ubuntu Install: A VM which only contains a basic installation of Ubuntu. 1 keep a snapshot available
which 1 can revert to if 1 use this machine to experiment with Ubuntu configurations.
• Ubuntu Install & Configuration: A VM of Ubuntu with all custom settings and VirtualBox tools
installed. I also keep a snapshot ready here. I can test new software without worry of any conflicts from
my final VM.
VM Maintenance & Preservation 93
If I were launching a new online investigation, I wo>tuld right-click the "OSINT Original” machine (while
powered down) and select "Clone”. I would then create a "Full Clone" and title it appropriately for my
investigation, as explained in just a moment.
000 Oracle VM VirtualBox Manager
o®
New Settings Show
“JH OSINT Original L= ® General »-a Preview
fjB V Running
Name: OSINT Original
Operating System: Ubuntu (64-bit)
AJj Ubuntu Install L System
'<■>> Powered Off
Base Memory: 8192 MB
Ubuntu Install & Confi... Processors: 6
Fa Powered Off Boot Order: Floppy, Optical, Hard
Disk
Acceleration: VT-x/AMD-V, Nested
Paging, KVM
Paravirtualization
Figure 5.02: A VirtualBox menu of OSINT VMs ready for use.
fit-bo
Sz.
S.Xt'TT UL'V'*
■
IP V4>XIM
sxi
Ir^JCXTKkM
DtU lX'.a_Vr» &
J
<»•»••* * K <D •A-j» ■
Figure 5.03: The final Linux OSINT VM with customized applications ami d appearance.
OSINT VM Complete Configuration Script
While this chapter has abbreviated the steps to build your own OSINT VM, you may still feel overwhelmed
with the required effort. In late 2019, my colleague Jesse created a single script which replicates even’ step we
have discussed up to this point, including the advanced OSINT Linux tools coming up later. I modified this
script to include every’ Linux configuration, installation, and customization mentioned throughout this entire
book. After you build your Ubuntu virtual machine within VirtualBox by conducting the steps previously
explained, launch the following two commands from within Terminal. You will be prompted to enter your
password at least once. After the process completes, you possess the same machine which was built during the
tutorials throughout this entire book.
94 Chapter 5
wget —user osint9 —password bookl43wt
https://inteltechniques.com/osintbook9/linux. sh
chmod +x linux.sh && ./linux.sh
You may feel frustrated with me. You may wonder why I did not start the book with this script. While I rely on
this single script often, it is cheating. Running a single command and achieving a complete VM is convenient
and time-saving, but it also eliminates any need to understand the processes. I believe the education received
while manually building an OSINT VM is more valuable than the final product itself. However, this automated
script simplifies the process when we need to quickly create another OSINT VM. It also allows me to apply
updates as needed from my end. You could launch this script a year after reading the book and immediately
apply all updates and changes which have occurred since publication.
An ideal scenario would be that you are already familiar with the VM creation and configuration process, but
you do not have a configured VM from which to clone. You have an Ubuntu VM, but no OSINT applications.
Entering these two commands within the Terminal ofany Ubuntu installation should build your OSINT VM in
about 10 minutes. This script could also be launched from an Ubuntu host. If you had an old laptop with no
other purpose, you could install Ubuntu as the host operating system and run this script.
If you look at the script after download, which should be available within your "Home” folder inside your
Ubuntu install, you will see that it appears very similar to the text file with all of the Linux commands
(https://intcltechniques.com/osintbook9/linux.txt). This new script is simply executing each line as we did
manually throughout the book. While it can be a valuable time saver, you also risk missing any errors which
occur during execution.
I encourage you to ignore this script until you have confidence in your ability to create your virtual machine
manually. I find it more satisfying to use a VM which I created myselfinstead of one generated by an automated
script, but I want you to have options. If this script should fail on your VM, revert to the manual methods in
order to identify the issue.
OSINT VM Software Updates
Assume that you have not touched your OSINT Original virtual machine in some time, and you are ready to
launch a new investigation. You likely have software updates which need to be applied. Instead of cloning and
updating ever}' machine, launch your OSINT Original VM and conduct the following within Terminal. These
commands will update your operating system, installed applications, and custom programs created during thr
previous chapter.
• sudo apt update
• sudo apt -y upgrade
• sudo snap refresh
• sudo apt update —fix-missing
• sudo apt —fix-broken install
• sudo -H pip list —outdated —format=freeze I grep
-f 1 I xargs -nl sudo -H pip install -U
• cd -/Downloads/Programs/sherlock
• git pull https://github.com/sherlock-project/sherlock.git
• cd -/Downloads/Programs/WhatsMyName
• git pull https://github.com/WebBreacher/WhatsMyName.git
• cd ^/Downloads
• wget -N
https: /1github.com/ripmeapp/ripme/releases/latest/download/ripme.jar
• cd -/Downloads/Programs/EyeWitness
• git pull https://github.com/ChrisTruncer/EyeWitness.git
VM Maintenance & Preservation 95
cd -/Downloads/Programs/Sublist3r
git pull https://github.com/aboul31a/Sublist3r.git
cd -/Downloads/Programs/Photon
git pull https://github.com/s0md3v/Photon.git
cd -/Downloads/Programs/theHarvester
git pull https://github.com/laramies/theHarvester.git
cd -/Downloads/Programs/Carbonl4
git pull https://github.com/Lazza/Carbonl4
cd -/Downloads/Programs/metagoofil
git pull https://github.com/opsdisk/metagoofil.git
cd -/Downloads/Programs/sherloq
git pull https://github.com/GuidoBarroli/sherloq.git
cd -/Downloads/Programs/recon-ng
git pull https://github.com/lanmaster53/recon-ng.git
cd -/Downloads/Programs/spiderfoot
git pull https://github.com/smicallef/spiderfoot.git
cd -/Downloads/Programs/Elasticsearch-Crawler
git pull https://github.com/AmIJesse/Elasticsearch-Crawler.git
cd -/Downloads/Programs/ghunt
git pull https://github.com/mxrch/ghunt.git
sudo apt autoremove -y
OSINT VM Software Update Script
1 believe these update commands should be executed as often as possible. You always want your OSINT
Original VM to have the latest software. Manually entering each of these commands on a daily or weekly basis
is exhausting. This is why 1 have created a script to update everything we have installed in our OSINT Original
VM. This file is included within the scripts folder of the Linux "vm-files" archive previously downloaded, and
the content can be seen by opening "updates.sh" within your Ubuntu VM. You can launch this file by clicking
the "Update Scripts" application in the Applications menu or Dock of your OSINT Original VM. Look for the
circular arrow icon in the lower Dock next to the Terminal icon.
This script also includes the basic commands to update your operating system files and stock applications. * e
first five commands address this issue. Everything else focuses oni the customization.5; made throughout this
section of die book. After the script finishes, you should see "Updl:atcs Complete!" within Terminal. You can
now close the Terminal window knowing your system has been .completely updated. While the "Software
Updates" icon within Ubuntu's Application menu updates your overall Ubuntu environment, it does not update
the OSINT applications. This is a better method.
OSINT VM Maintenance
You should now have a completely functional and updated virtual machine titled "OSINT Original". This is
your clean machine with no contamination from any investigation or testing. It has all the software we want,
and it is ready to be used. Next, let's consider an "OSINT Test" machine. This is the VM on which you can
practice Linux commands, test new programs, or create new scripts. It is a VM which will never be used for any
investigations. Its sole purpose is to give you a safe playground to experiment. Complete the following tasks
within VirtualBox.
• Right-click the VM titled "OSINT Original", click "Clone", and title it "OSINT Test".
• Supply the desired storage location and click "Continue".
• Select "Full Clone" and click the "Clone" button.
96 Chapter 5
You now have a fully functional cloned "Test VM". Any activity within that machine will not change anything
in any other VMs. Repeat this cloning process any time you wish to conduct an investigation. In this scenario,
assume 1 created a new clone titled Case #2021-143. I can open this new VM which appears identical to my
original. I can conduct my investigation and close the machine. All evidence is stored within the machine and
can be extracted to my shared folder or USB drive if desired. All of my VMs arc visible in Figure 5.04 (left). The
Android VM visible at the top is explained in the next chapter. Figure 5.04 (right) displays the Snapshots menu
option and an example of a Snapshot ready for restoration.
Once you have your Original VM created, configured, and updated, it is best to export a copy as a backup. You
have put a lot of time into this, and I would hate to see you lose the hard work. If your computer or storage
device would crash beyond repair, you would need to start over. If your Original VM would become corrupted,
restoring the data would be quite difficult. I keep an exported copy of my Original VM on a USB drive in case
of emergency. In VirtualBox, conduct the following steps.
® Shut down the VM you want to export.
• Single-click on the VM within die VirtualBox menu.
• Click on "File" in the menu, "Export Appliance", confirm the selection, and click "Continue".
• Choose the "File" export location on your drive and click "Continue" then "Export".
This produces a single large file which contains your entire OSINT Original VM. You could import this file into
any instance of VirtualBox with the "File" and then "Import Appliance" options. My strategy’ is as follows.
I launch my OSINT Original VM weekly and apply all updates.
1 export my OSINT Original VM monthly as a backup.
I conduct all software auditing and install new apps for testing on the OSINT Test VM.
I create a new clone of the OSINT Original for every’ new investigation.
At the end of the investigation, 1 export all evidence to an external drive.
If necessary’, I create an exported copy’ of investigation VMs for later review.
1 delete investigation VMs when no longer needed.
This plan ensures that every investigation is completed on a clean VM with absolutely no contamination from
previous investigations. My exported investigation VMs can be provided to odier investigators or as part of
discover}' in litigation. I am prepared to testify with confidence, if required.
.1JT00,s o ffiT00,s Take ec u- :
Android 9.0.0 2020 New Settings JU Android 9.0.0 2020 Name Full Install +
1 O' Powered Off v 0 Currents
*-■. General @ Powered Off
0SINT Or‘9inal Name: I J— 'Lj; Details
If fl Running Operating Sys OSINTOriginal (Full...)
'll System I (b) Powered Off —J
Ubuntu Install Base Memory:
Powered Off Processors: Ubuntu Install (Install) 1 Snapshots
Boot Order: y 4l ® Powered Off
Casa #2021-143 (cl...)
If/d Powered Off Acceleration:
| k[i Logs
Display
Figure 5.04: Cloned machines and snapshots within VirtualBox.
VM Maintenance & Preservation 97
Windows VM
While 1 prefer to conduct all investigations solely inside Linux, 1 respect that there may be a need for a Windows
VM. In fact, I am using one now. I write all of my books within an offline copy of Microsoft Word. I create
protected press-ready PDFs with Adobe Acrobat Pro. Neither of these applications run reliably on a Linux
machine, and my personal laptop possesses Debian as the host operating system. Therefore, I keep a Windows
VM for all writing. Installing Windows inside VirtualBox is not difficult, but licensing may be an issue. Therefore,
we will rely on the official Microsoft Windows 10 VM available directly from their website.
• Navigate to https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/.
• Choose "MSEdge on WinlO" as the Virtual Machine.
• Choose "VirtualBox" as the Platform, and click "Download Zip”.
• Unzip the downloaded file and keep a copy with your other VM backups.
• In VirtualBox, click "File" and "Import Appliance" in the menu.
• Choose the "ovf1 file which you extracted from the zip file and click "Continue".
• Make any desired modifications as previously explained and click "Import".
• In the VirtualBox menu, click "Settings" then "Storage".
• Click the first"+" to add an optical drive, click "Leave empty", and click "OK".
• Before launching, create a snapshot of the VM as previously explained.
• Double-click the new Windows 10 machine to launch.
• Enter the password of "PasswOrd!" to enter Windows.
• In the VirtualBox menu, click "Devices" and "Insert Guest Additions CD".
• Through the Files explorer, double-click the mounted CD and choose "Yes".
• Click "Next", "Next", and "Install" to configure the default options.
• Reboot when prompted.
You now have a fully functioning and legal Windows 10 VM at your disposal. You can resize the window as
desired and install any Windows applications. You can configure the copy and paste options, shared folder, or
any other customizations as previously demonstrated. This is a 90-day trial, at which time the VM will no longer
boot. You can revert to the original snapshot you created at any time to restart the 90-day trial. Surprisingly, this
is allowed and encouraged from Microsoft.
You will notice branding within the desktop advising it is a trial. If that bothers you, you must acquire a license
and install from traditional media. This method is the easiest (and cheapest) option to possess a legal copy of
Windows within a VM at no cost
Hopefully, you now have a virtual machine in pristine condition ready for your investigations. Keep your original
clean and only use it for updates. Make clones of it for each investigation. Make sure you have a safe backup
copy stored outside your primary device. Most importandy, understand the steps you have taken. It is very likely
that you will need to modify some of these commands as things change from the software developers. If you
should receive an error on any specific step in these tutorials, search that exact error online and you should be
presented many solutions. I send a sincere "Thank you" to David Westcott for opening my eyes to the many
ways in which Linux can be customized for our needs as online investigators.
I offer one final thought on creating your virtual machine. The chances of every application mentioned here
installing without any issue is slim. Programs break, updates cause issues, and the countless variables on your
system can be problematic. When something fails, keep moving on to the other options. Most of the time, a
future update, which you will receive during your update process, will fix things which currendy do not work.
98 Chapter 5
Chapter Six
Mac & windows Hosts
I was originally conflicted writing this chapter. I previously explained the benefits of Linux virtual machines for
OSINT work and rely on them daily. I encourage everyone to consider them as a way to protect the integrity of
online investigations while isolating each case. However, VMs are not for everyone. Since the seventh edition, I
have heard from many readers asking to replicate the Linux tools within Mac and Windows. Some readers do
not have hardware which supports virtualization. Some do not have the permission from their employers to
install virtual machine software due to licensing concerns. Many simply are not comfortable with Linux and
want an easier solution. You may just want the ability to practice within an operating system with which you are
familiar. These are all legitimate reasons to avoid Linux and 1 hold no judgement. I must confess that I often
download videos directly from my Mac with my own scripts. Regardless ofyour reasons, you may want to create
an OSINT machine within native Mac or Windows. This chapter makes that happen. I believe the ability to
replicate Linux programs within Mac and Windows will encourage non-technical readers to embrace these
options. The tutorials within this section assume the following.
• You want to replicate all of the Linux VM applications and settings within your Mac or Windows
computer or virtual machine.
• You understand that conducting investigations within a native Mac or Windows host, without the use
of snapshots or clones, may contaminate your online evidence.
I begin with Mac because it is very similar to Ubuntu. In fact, Mac and Ubuntu are both based on a UNIX file
system and most of the commands are cross-compatible. We will need to make many modifications to the
operating system and scripts, but the basic usage will seem very familiar. I then explain the process for Windows,
which involves many more steps. All of the software installed during this chapter is completely free for personal
and commercial use without licensing restrictions. Ever}7 command within this chapter is available in digital form
at the following locations. Similar to the previous tutorials, enter a username of "osint9" and password of
"book!43wt" (without quotes), if required, for access to these resources.
https://inteltechniques.com/osintbook9/mac.txt
https://inteltechniques.com/osintbook9/windows.txt
All tutorials presented within this chapter assume you are working with a new Mac or Windows
machine or VM. Pre-existing installations should function fine, but may conflict with some steps. The software
and tutorials are provided "as is", without warranty of any kind. In no event shall the author be liable for any
claim, damages or other liability, arising from, out of, or in connection with the software or tutorials presented
here (this makes my lawyer happy).
Mac OSINT Host
The first step is to install Brew. This is a package (software) manager which was mentioned in Chapter One
when discussing antivirus options for Mac computers. Ifyou installed Brew then, you do not need to repeat the
process. If you did not, the following command within Terminal will install and configure the software. There
is no harm executing this command a second time.
/bin/bash ”S(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
This command may take a long time to complete. It may ask you for your password a couple of times, so you
should monitor occasionally. In my test, 1 had to enter my password twice and confirm installation with "enter"
once. Next, we need to install a recent version of Python3. While most Macs now have Python3 included by
Mac & Window’s Hosts 99
default, it is typically an older version. The following command within Terminal installs the latest version of
Python3 and overrides the default version.
• brew install python3
Next, we want to install several of the Linux applications mentioned within the previous chapters onto our
native Mac machine using Brew. The first two commands can also take a long time to complete, but the third
should run quickly. You may be asked for your password. The following commands configure the majority of
our basic programs for immediate use.
• brew install zenity youtube-dl yt-dlp ffmpeg pipenv mat2 httrack
exiftool internetarchive ripgrep instalooter fileicon wget streamlink
libmagic
• brew install —cask firefox google-chrome vic tor-browser google-earth-
pro keepassxc mediainfo phantomjs xquartz
• brew tap caffix/amass && brew install amass
Ifany ofthese packages become unavailable, you will receive an error preventing all installations. Ifthis happens,
remove the missing package from these commands. After you have installed all of the Brew options, run the
following commands to make sure everything is set up appropriately. If you receive any errors, follow the
provided guidance within each dialogue.
• brew autoremove
• brew cleanup -s
• rm -rf "$(brew —cache)”
• brew doctor
• brew missing
Next, configure the Firefox browser with all extensions and settings previously explained with the following
steps.
• Open Firefox and close it completely.
• cd -/Desktop
• curl -u osint9:bookl43wt -0 https://inteltechniques.com/osintbook9/ff-
template.zip
• unzip ff-template.zip
• cd ff-template
• cp -R * -/Library/ApplicationX Support/Firefox/Proflies/* . default
release
• cd -/Desktop
• rm -rf ff-template MACOSX
• Open Firefox and confirm all extensions and settings are present.
Note that pre-existing Firefox installations may conflict with this tutorial. If needed, manually copy my profile
to yours using the methods explained in Chapter Three. Now that we have Firefox configured, we need all of
the custom scripts, links, icons, and tools which were present within the Linux VM. Conduct the following in
Terminal. This will also remove any downloaded files which are no longer needed.
• cd -/Desktop
• curl —u osint9:bookl43wt -0
https://inteltechniques.com/osintbook9/tools.zip
• unzip tools.zip -d -/Desktop/
100 Chapter 6
• curl —u osint9:bookl43wt -0 https://inteltechniques.com/osintbook9/mac-
files.zip
• unzip mac-files.zip -d -/Desktop/
• mkdir -/Documents/scripts
• mkdir -/Documents/icons
• cd -/Desktop/mac-files/scripts
• cp * -/Documents/scripts
• cd -/Desktop/mac-files/icons
• cp * -/Documents/icons
• cd -/Desktop
• rm mac-files.zip tools.zip
• rm -rf mac-files
• rm -rf ff-template
We now need to install all of the remaining programs which are not available within Brew. The following
commands within Terminal execute each installation and configuration requirement.
• sudo -H python3 -m pip install -I youtube-tool Instaloader toutatis
nested-lookup webscreenshot redditsfinder socialscan holehe waybackpy
gallery-dl xeuledoc bdfr search-that-hash h8mail -I
• wget http: //svn.exactcode.de/t2/trunk/package/xorg/xorg-server/xvfb-
run.sh
chmod +x xvfb-run.sh
mv xvfb-run.sh /usr/local/bin/xvfb-run
cd -/Downloads && mkdir Programs && cd Programs
cd -/Downloads/Programs
git clone https://github.com/Datalux/Osintgram.git
cd Osintgram
sudo -H python3 -m pip install requirements.txt -I
make setup
cd -/Downloads/Programs
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock && sudo -H python3 -m pip install -r requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/WebBreacher/WhatsMyName.git
cd WhatsMyName && sudo -H python3 -m pip install requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/martinvigo/email2phonenumber.git
cd email2phonenumber && sudo -H python3 -m pip install -r
requirements.txt -I
git clone https://github.com/aboul31a/Sublist3r.git
cd Sublist3r && sudo -H python3 -m pip install requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/s0md3v/Photon.git
cd Photon && sudo -H python3 -m pip install -r requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/laramies/theHarvester.git
cd theHarvester && sudo -H python3 -m pip install requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/Lazza/Carbonl4
cd Carbonl4 && sudo -H python3 -m pip install -r jrequirements.txt
cd -/Downloads/Programs
git clone https://github.com/GuidoBartoli/sherloq.git
Mac & W indows Hosts 101
cd sherloq/gui && sudo -H python3 -m pip install -r requirements.txt
cd -/Downloads/Programs
git clone https://github.com/opsdisk/metagoofil.git
cd metagoofil && sudo -H python3 -m pip install -r r: equirements.txt
cd -/Downloads/Programs
git clone https: //github. com/MalloyDelacroix/DownloaderForReddit.git
cd DownloaderForReddit && sudo -H python3 -m pip install -r
requirements.txt -I
cd -/Downloads/Programs
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng && sudo -H python3 -m pip install -r REQUIREMENTS -I
cd -/Downloads/Programs
git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot && sudo -H python3 -m pip install requirements.txt
cd -/Downloads/Programs
git clone https://github.com/AmIJesse/Elasticsearch-Crawler.git
cd -/Downloads && h8mail -g
sed -i '' ,s/\;leak\-lookup\__pub/leak\-lookup\_pub/g' h8mail_config.ini
cd -/Downloads/Programs
git clone https://github.com/mxrch/ghunt
cd ghunt && sudo -H python3 -m pip install -r requirements.txt -I
sudo -H python3 -m pip list —outdated —format=freeze I grep -v ’A\-e*
I cut -d = -f 1 | xargs -nl sudo -H python3 -m pip install -U
sudo shutdown -r now
Ifyou are copying these commands from the "mac.txt" file on my website, you should be able to copy an entire
section and paste it all into Terminal at once. Striking enter on your keyboard should execute each command
individually. This can be very convenient once you are comfortable with this process, but I believe each line
should be submitted manually as you become familiar with the actions. To be safe, restart the machine after
these steps. Next, I like to make some graphical adjustments to my Mac OSINT build. First, I embed the same
icons used for the Linux VM into the Mac Scripts. The following commands replicate my process. However,
the "mac.txt" file in your downloads includes a single command which conducts all of these steps at once.
• cd '•/Documents/scripts
• fileicon set DomainX Tool -/Documents/icons/domains.png
• fileicon set Breaches-LeaksX Tool -/Documents/icons/elasticsearch.png
• fileicon set WebScreenShot -/Documents/icons/eyewitness . png
• fileicon set GalleryX Tool -/Documents/icons/gallery. png
• fileicon set HTTrack -/Documents/icons/httrack.png
• fileicon set InstagramX Tool -/Documents/icons/instagram.png
• fileicon set InternetX Archive -/Documents/icons/internetarchive.png
• fileicon set Metadata -/Documents/icons/metadata.png
• fileicon set Metagoofil -/Documents/icons/metagoofil.png
• fileicon set OSINTX Tools -/Documents/icons/tools.png
• fileicon set Recon-NG -/Documents/icons/recon-ng.png
• fileicon set RedditX Tool -/Documents/icons/reddit .png
• fileicon set Spiderfoot -/Documents/icons/spiderfoot .png
• fileicon set Updates -/Documents/icons/updates.png
• fileicon set UsernameX Tool -/Documents/icons/usertool .png
• fileicon set VideoX DownloadX Tool ~/Documents/icons/youtube-dl.png
• fileicon set VideoX StreamX Tool -/Documents/icons/streamlink.png
• fileicon set VideoX Utilities -/Documents/icons/f fmpeg .png
102 Chapter 6
You should now see your Mac scripts with custom names and icons. However, you likely cannot launch any of
them by simply double-clicking the files. This is due to Apples Gatekeeper security rules. Since my simple scripts
are not registered with Apple and none of them possess security certificates, they are blocked by default. There
are two ways to bypass this. You could double-click a script; acknowledge the block; open your security settings;
enter your password; choose the option to allow the script to run; and repeat for each file. This is quite time
consuming. I prefer to right-click on each file; select "Open"; then confirm the security exception. You only
need to do this once per file. This is a one-time nuisance, but the protection is beneficial for digital security.
Next, I want to add my custom scripts to the Dock at the bottom of my screen and within my Applications
folder. I also want to decrease the size of the icons; remove all standard Apple applications from the Dock; and
place my programs in the exact same order as the Linux VM. The command to add the scripts to your
Applications folder is as follows.
In -s -/Documents/scripts/ /Applications/
The command to place the scripts within the Dock is too long to place here. It would have taken three pages to
display in the book. The following would copy only the Domain Tool script.
defaults write com.apple.dock persistent-apps -array-add '<dict><
key>tile-data</key><dictxkey>file-data</key><dictxkey>_CFURLString
</keyxstring>/Applications/scripts/Domain Tool</string> <key>_
CFURLStringType</keyxinteger>O</integerX/dictx/dictX/dict>'
The long single command included within your "mac.txt” file places shortcuts to every program and script
present within the Linux VM into your Dock. Look for the section titled "Add Programs To Dock And Modify
Size". Warning: It overrides all settings of your current Dock.
Single Install Command (Mac)
You should now possess a Mac machine which replicates practically every aspect of the Ubuntu OSINT VM.
Figure 6.01 displays the final result with all applications visible. You may be expecting a simple command which
will replicate all of these steps as was presented with the Linux VM chapter. If so, you will be disappointed. I
exclude a single install command for a few reasons.
First, the Linux section assumes that you have created a virtual machine which can be easily deleted and rebuilt.
Making these changes to your Mac computer should be very intentional and deliberate. I don’t want to offer a
script which could make drastic changes to your host computer which could impact other installed applications.
Next, replicating the Linux steps is not the same as on a Mac due to security restrictions within the operating
system. There are a few steps which require manual execution which cannot be properly replicated within
Terminal. As an example, I can easily launch and close Firefox within Terminal on Linux, but it can be difficult
to do on a Mac. You must also manually launch the custom programs during first use in order to allow them to
run on your host. I cannot replicate that in Terminal. For these reasons, 1 ask you to apply these steps manually.
Issues
If you applied the Mac build steps presented within the previous edition of this book, you may see many errors
while executing the steps presented here. This is mostly due to the presence of this software already on your
system. There is no concern. Simply go through these steps, ignore any errors, and be sure to run the update
script when complete. If your Terminal session asks you to override any files, confirm this option. You might
be presented with an option to enter "A" in order to allow overwriting of all files. Either way, allow your system
to replace any previous software and you should be caught up to this version of all software, scripts, and tools.
If you find many of the Terminal applications installed within Brew to be missing, you may have an issue with
your "PATH". Execute "brew doctor" within Terminal and follow the advice presented on the screen.
Mac & Windows Hosts 103
:: o t
O "n.«w
7ESS7
“^-SKMSE-
Lr*j1 Xl£vw« 7 =g77
•Of’
See ^■1”
=®=
_
________________________ ■
Ixu *>» * 1«Jj
e ctrBQQoo e®3Q, eo p □!•>)« •■ c
Figure 6.01: A final macOS OSINT machine.
Updates
Finally, I want the ability to update all of these programs whenever desired. The following can be entered
manually, or you can simply click on the custom "Updates" icon now in your Dock. That script simply executes
each line presented here automatically. All of these commands are also available at the bottom of the "mac.txt"
file on my website. If (when) tilings change, I will update die information there, and you can apply it to your
own Updates script if desired.
• brew update
• brew upgrade
• brew upgrade —greedy
• brew autoremove
• brew cleanup -s
• rm -rf "$(brew —cache)"
• brew doctor
• brew missing
• sudo -H python3 -m pip list —outdated —format=freeze I grep
cut -d = -f 1 | xargs -nl sudo -H python3 -m pip install -U
• cd -/Downloads/Programs/sherlock
• git pull https://github. com/sherlock-project/sherlock. git
• cd -/Downloads/Programs/WhatsMyName
• git pull https://github.com/WebBreacher/WhatsMyName.git
• cd ~/Downloads/Programs/Sublist3r
• git pull https://github.com/aboul31a/Sublist3r.git
• cd -/Downloads/Programs/Photon
• git pull https://github.com/s0md3v/Photon.git
• cd ~/Downloads/Programs/theHarvester
• git pull https://github.com/laramies/theHarvester.git
• cd ~/Downloads/Programs/Carbonl4
104 Chapter 6
• git pull https://github.com/Lazza/Carbonl4
• cd -/Downloads/Programs/metagoofil
• git pull https://github.com/opsdisk/metagoofil.git
• cd -/Downloads/Programs/sherloq
• git pull https://github.com/GuidoBartoli/sherloq.git
• cd ~/Downloads/Programs/recon-ng
• git pull https://github.com/lanmaster53/recon-ng.git
• cd -/Downloads/Programs/spiderfoot
• git pull https://github.com/smicallef/spiderfoot.git
• cd -/Downloads/Programs/Elasticsearch-Crawler
• git pull https://github.com/AmIJesse/Elasticsearch-Crawler.git
• cd ~/Downloads/Programs/ghunt
• git pull https://github.com/mxrch/ghunt.git
Reverse All Changes (Mac)
Assume you completed this tutorial and you have regret You made substantial changes to your host operating
system and you simply want to reverse the steps taken within this section. Maybe your supervisor is questioning
your decision to modify an employer-owned computer and you are in the hot seat. Simply conduct the following
within Terminal. Note that this removes all custom settings applied within these programs, but should not
remove any pre-installed applications or unrelated modifications.
sudo -H python3 -m pip uninstall youtube-tool Instaloader toutatis nested-
lookup webscreenshot redditsfinder socialscan holehe waybackpy gallery-dl
xeuledoc bdfr search-that-hash h8mail -y
cd -/Downloads/Programs/Osintgram
sudo -H python3 -m pip uninstall -r requirements.txt -y
cd -/Downloads/Programs/sherlock
sudo -H python3 -m pip uninstall -r requirements.txt -y
cd -/Downloads/Programs/WhatsMyName
sudo -H python3 -m pip uninstall -r requirements.txt -y
cd ~/Downloads/Programs/email2phonenumber
sudo -H python3 -m pip uninstall ■ requirements.txt -y
cd -/Downloads/Programs/Sublist3r
sudo -H python3 -m pip uninstall - requirements.txt -y
cd -/Downloads/Programs/Photon
sudo -H python3 -m pip uninstall ■ requirements.txt -y
cd -/Downloads/Programs/theHarvester
• sudo -H python3 -m pip uninstall -r requirements.txt -y
• cd -/Downloads/Programs/Carbonl4
• sudo -H python3 -m pip uninstall -r requirements.txt -y
• cd -/Downloads/Programs/sherloq/gui
• sudo -H python3 -m pip uninstall -r requirements.txt -y
• cd -/Downloads/Programs/metagoofil
• sudo -H python3 -m pip uninstall -r requirements.txt -y
• cd ~/Downloads/Programs/bulk-downloader-for-reddit
• sudo -H python3 -m pip uninstall -r requirements.txt -y
• cd -/Downloads/Programs/recon-ng
• sudo -H python3 -m pip uninstall -: REQUIREMENTS -y
• cd -/Downloads/Programs/spiderfoot
• sudo -H python3 -m pip uninstall requirements.txt -y
• cd -/Downloads/Programs/ghunt
Mac & Windows Hosts 105
• sudo -H python3 -m pip uninstall requirements.txt -y
• sudo rm -/Documents/scripts
• sudo rm -/Documents/icons
• sudo rm -r -/Downloads/Programs
• sudo rm -r /Applications/scripts
• sudo rm /usr/local/bin/xvfb-run
• brew uninstall zenity youtube-dl yt-dlp ffmpeg pipenv mat2 httrack
exiftool internetarchive ripgrep instalooter fileicon wget streamlink
libmagic amass firefox google-chrome vic tor-browser google-earth-pro
keepassxc mediainfo phantomjs xquartz
• brew remove —force $(brew list)
• brew cleanup -s
• defaults delete com.apple.dock && killall Dock
All of these commands are at the end of your "mac.txt" file for easy copy and paste. You may receive an error
about permissions for a few Brew apps. This is usually due to files which are actively in use by the operating
system. That is fine, as we will remove those in the next step. The final phase is to remove the Brew application
completely with the following command. Note that this is one command displayed within multiple lines.
• /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/
Homebrew/install/master/uninstall. sh) "
Some readers may wonder why I recommend the lengthy steps on the previous pages when this single command
should wipe out everything installed with Brew. In my experience, deleting the Brew application does not fully
remove apps installed with Brew. Deleting Brew apps, such as Python3, does not remove the dependencies we
installed with the various "pip" commands. Replicating all of these commands eliminates much more data than
removing Brew alone. Ifyou are using the "mac.txt" file to copy and paste the commands as recommended, you
could copy them all at once and let it go. Note that you will likely be asked to enter your password at least once.
Your Mac operating system should be back the way it was before replicating the methods in this chapter. Ifyou
executed any of the apps and conducted queries, you may see that data within your Desktop or Documents
folders. These can be deleted manually. There will still be evidence of these installations within your standard
operating system file structure. However, the applications and all visual clues should now be gone. All of the
scripts and Python dependencies will no longer be present. Next, let’s tackle Microsoft Windows as an OSINT
environment.
Windows OSINT Host
When I first started thinking about creating a Windows OSINT machine, I considered using the Windows
Subsystem for Linux (WSL). This feature allows native use ofLinux commands and applications within a virtual
space directly in Windows. However, this presented many issues. Some versions of Windows rely on WSL 1
while others support WSL 2. The file storage within WSL and execution ofprograms can present complications,
and I eventually abandoned the idea of using WSL for our needs. I then focused on Power Shell. This command
line utility is very similar to the native Windows Command Prompt but with added features. I found it to be
overkill for our needs. Therefore, I settled on traditional batch files executed through Command Prompt.
I have been creating batch files since the 90's. These small text files are very similar to the Bash scripts which
we created previously within Linux. I believe Windows batch files are actually simpler to create and more
straight-forward in design. The menus are not as pretty as what we saw with Linux and Mac. However, the
function will be identical. Let's take a look at the difference. Figure 6.02 (left) displays the Video Download Tool
within the Linux VM. Figure 6.02 (right) displays the Video Utilities Tool available within the Windows OSINT
machine. The left is a pop-up menu while the right is a script within a traditional Command Prompt display.
Some may prefer the simplicity of the Windows option (1 do).
106 Chapter 6
Choose Option X
Choose Option
Select task:
© Best Quality
1) Play a video
Maximum 720p 2) Convert a video to mp4
Export YT Comments 3) Extract video frames
Export YT Playlist 4) Shorten a video (Low Activity)
Export YT Info 5) Shorten a video (High Activity)
6) Extract Audio
7) Rotate Video
8) Download a video stream (ffopeg)
9) Exit
Type option:
OK
Figure 6.02: A comparison of Linux and Windows script execution.
Next, we should compare the scripts. The previous Linux ".sh" files were explained in Chapter Four and were
used during the Mac option presented within this chapter. The ".bat" files included within the "scripts" folder
at https://inteltechniques.com/osintbook9/windows-files.zip are pre-configured to replicate all of the Python
scripts inside Windows. During the upcoming tutorials to build your Windows OSINT machine, I present die
proper way to automatically download and configure these scripts. First, let's take a look at an actual batch file.
The following page displays the Username Tool titled "uscrtool.bat" within your download.
@echo off
title Username Tool
: home
cis
echo.
echo Select a task:
echo ==
echo.
echo 1) Sherlock
echo 2) SocialScan
echo 3) Holehe
echo 4) WhatsMyName
echo 5) Email2Phone
echo 6) Exit
echo.
set /p web=Type option:
if "%web%"=="l" goto 1
if "%web%"=="2” goto 2
if "%web%"==”3" goto 3
if "%web%"=="4" goto 4
if "%web%"=="5" goto 5
if ,,%web%"=="6" exit
:1
set Zp url=Target Username:
cd ouserprofile%\Downloads\Programs\sherlock\sherlock
py sherlock.py %url% > %userprof ile?d\Documents\%url%-Sherlock. txt
start "" Suserprofile%\Documents\%url%-Sherlock.txt
goto home
set /p url=Target Username:
socialscan %url% > %userprof ile?d\Documents\%url%-SocialScan. txt
start "" %userprofile%\Documents\iourl%-SocialScan.txt
Mac & Windows Hosts 107
goto home
:3
set /p url=Target Username:
holehe %url% > %userprofile%\Documents\%url%-Holehe. txt
start "" %userprofile%\Documents\%url%-Holehe.txt
goto home
:4
set /p url=Target Username:
cd %userprofile%\Downloads\Programs\WhatsMyName
py web_accounts_list_checker.py -u %url% > %userprofile%\Documents\%url%-
WhatsMyName.txt
start 9oUserprofile%\Documents\%url%-WhatsMyName. txt
goto home
:5
set /p url=Target Email:
cd -oUserprofile%\Downloads\Programs\email2phonenumber
py email2phonenumber.py scrape -e %url%
pause
goto home
Now, let's break down these new commands.
• @echo off: This disables commands from being displayed within the Command Prompt menu.
• title Username Tool: This displays a title of the menu prompt.
• : home: This identifies the following text as the "home" screen.
• cis: This clears all text from the Command Prompt window.
• echo Select a task: This displays any text after "echo", suc_h'i as "Select a task".
• echo 1) Sherlock: This displays the menu v\-is--i-b-l-e-w---i-t-h--in---t-h--e--C-- ommand Prompt window, which
displays the following in this tool.
Sherlock, SocialScan, Holehe, WhatsMyName, Exit
set w.e^TyPe option: This provides an option to accept user input. The menu displays
Type Option" and waits for a response, such as "1".
if oweb-o -="1" goto 1: This option collects the input from the previous command and
navigates the user accordingly. If you had entered "1", the menu would take you to the commands
under :1".
. 1. This identifies a set of commands based on the previous selection.
set /p„ url-Target Username: This provides an option to accept user input. The menu
splays Target Username" and waits for a response, such as "inteltechniques".
• cd %userprofile%\Downloads\Programs\sherlock\sherlock: This changes the
directory' in order to launch a specific software tool.
• py Sherlock.py %url% > %userprofile%\Documents\%url%-Sherlock. txt: This
executes the Python command; loads the Python script; enters the previous user input
(inteltechniques); and outputs (>) the result to a text file within the home director}' of the user.
• start %userprofile%\Documents\%url%-Sherlock. txt: This launches the text file
which was previously created by the script
• goto home: This instructs the menu to return to the home screen in order to allow an additional
query.
108 Chapter 6
Let's start building our Windows OSINT host. Ideally, you will be creating this machine from a new \ in ows
installation, but it should also work with existing builds. You may want to practice with a Windows rst in
order to ensure you want these changes applied to your current machine. The following steps generate numerous
modifications to your Windows operating system and should not be executed without serious considerauon.
During the Mac setup, we used Brew as a package manager for the basics. For Windows, we will use Chocolatey.
It can be installed with the following steps. Ever}' command in this section, including any updates, can be found
at https://inteltechniques.com/osintbook9/windows.txt
• Click the Windows menu button (lower-left) and type "cmd".
• Right-click on Command Prompt and select "Run as Administrator".
• Enter the following command into Command Prompt.
• @"%SystemRoot%\System32\WindowsPowerShell\vl. O\powershell.exe"
NoProfile -InputFormat None -Executionpolicy Bypass -Command "
[System.Net .ServicePointManager] ::Securityprotocol = 3072; iex ((New-
Object System.Net.WebClient).Downloadstring
(’https://chocolatey.org/install.psl'))" && SET
"PATH=%PATH%; %ALLUSERSPROFILE%\chocolatey\bin"
Next, we can install our basic applications, such as Firefox, Chrome, and others with the following command.
You could eliminate any apps which are undesired, but this demonstration requires all programs listed within
the command.
• choco install python3 youtube-dl yt-dlp googlechrome ffmpeg httrack
exiftool exiftoolgui ripgrep vic tor-browser googleearthpro keepassxc
mediainfo git curl unzip wget phantomjs streamlink firefox sed -y
During installation, you might be prompted to accept all defaults. Type "A" and strike enter if this occurs. You
must reboot after the previous step is complete! Next, we can configure Firefox as described in Chapter
Three with the following steps.
• Open Firefox, close it, and enter the following in Command Prompt.
• cd %userprofile%\Downloads\
• curl —u osint9:bookl43wt -0 https://inteltechniques.com/osintbook9/ff-
template.zip
• unzip ff-template.zip
• cd %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\
*.default-release
• xcopy /Y /E %userprofile%\Downloads\ff-template\*
• Open Firefox, close it, reopen, and confirm extensions and settings.
Next, we can download and configure all custom Windows scripts, shortcuts, icons, and tools with the following
commands within Command Prompt.
• cd %userprofile%\Desktop
• curl —u osint9:bookl43wt -0
https://inteltechniques. com/osintbook9/windows-files. zip
• curl -u osint9:bookl43wt -0
https: //inteltechniques. com/osintbook9/tools. zip
• unzip tools.zip -d %userprofile%\Desktop
• unzip windows-files.zip -d %userprofile%\Documents
• del windows-files.zip tools.zip
Mac & Windows Hosts 109
Finally, we can install all of the Python OSINT tools which were dci-s-c--u-s-s-e--d during the Linux VM and Mac Host
with the folloxring commands. Note that these entries must be within a Command' “Prompt ’launch’ ed1 as
"Administrator".
• choco install python —version=3.9.4 -y
• py -m ensurepip
• py -m pip install pip requests aiodns youtube-tool instalooter
Instaloader toutatis nested-lookup internetarchive webscreenshot
redditsfinder socialscan holehe waybackpy gallery-dl xeuledoc bdfr
search-that-hash h8mail -I
• python -m pip install pip requests aiodns youtube-tool instalooter
Instaloader toutatis nested-lookup internetarchive webscreenshot
redditsfinder socialscan holehe waybackpy gallery-dl xeuledoc bdfr
search-that-hash h8mail -I
mkdir %userprofile%\Downloads\Programs
cd %userprofile%\Downloads\Programs
git clone https://github.com/Datalux/Osintgram.git
cd Osintgram
c:\Python39\python.exe -m pip install requirements.txt
cd %userprofile%\Downloads\Programs
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
py -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
git clone https://github.com/WebBreacher/WhatsMyName.git
cd WhatsMyName
py -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
git clone https://github.com/martinvigo/email2phonenumber.git
cd email2phonenumber
py -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
wget https://github.com/OWASP/Amass/releases/latest/download/
amass_windows_amd64.zip
unzip *.zip
del *.zip
git clone https://github.com/aboul31a/Sublist3r.git
cd Sublist3r
python -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
git clone https://github.com/s0md3v/Photon.git
cd Photon
py -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
git clone https://github.com/laramies/theHarvester.git
cd theHarvester
py -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
git clone https://github.com/Lazza/Carbonl4
cd Carbonl4
python -m pip install -r requirements.txt -I
cd %userprofile%\Downloads\Programs
110 Chapter 6
• wget https://exiftool.org/gui/exiftoolgui516.zip
• unzip *.zip
• del exiftoolgui516.zip
• git clone https://github.com/GuidoBartoli/sherloq.git
• cd sherloq/gui
• python -m pip install -r requirements_win.txt -I
• cd %userprofile%\Downloads\Programs
• git clone https://github.com/opsdisk/metagoofil.git
• cd metagoofil
• py -m pip install -r requirements.txt -I
• cd %userprofile%\Downloads\Programs
• git clone https://github.com/lanmaster53/recon-ng.git
• cd recon-ng
• py -m pip install -r REQUIREMENTS -I
• cd %userprofile%\Downloads\Programs
• git clone https://github.com/smicallef/spiderfoot.git
• cd spiderfoot
• py -m pip install -r requirements.txt -I
• cd %userprofile9d\Downloads\Programs
• git clone https://github.com/AmIJesse/Elasticsearch-Crawler.git
• mkdir %userprof ile%\Downloads\Programs\DownloaderForReddit
• cd %userprofile%\Downloads\Programs\DownloaderForReddit
• wget https://github.com/MalloyDelacroix/DownloaderForReddit/
releases/latest/download/DownloaderForReddit . zip
• unzip DownloaderForReddit.zip
• cd %userprofile%\Downloads
• h8mail -g
• sed -i ”s/\;leak\-lookup\_pub/leak\-lookup\_pub/g" h8mail_config«in^
• cd %userprofile%\Downloads\Programs
• git clone https://github.com/mxrch/ghunt.git
• cd ghunt
• py -m pip install requirements.txt -I
• pip freeze > requirements.txt
• sed -i "s/==/>=/g" requirements.txt
• pip install -r requirements.txt -U -I
• del requirements.txt
You can now drag and drop the files within your Documents\windows-files\shortcuts folder anywhere you like,
including another folder or the Desktop. In Figure 6.03, you can see that I placed them all within my Desktop
for easy access. You can drag and drop each for desired arrangement. I decided to place all of my shortcuts
across the bottom of the screen. You may prefer them to be tidy within a folder. These are shortcuts whic
launch the batch files included within your download. I used shortcuts because I can customize them with
specific icons and folder paths to match our needs. For the same reasons cited within the Mac section, 1 not
offer a single installation command for Windows. Please conduct all steps manually.
You may have noticed that I replicated all of die Pip installations with both "py" (Python 3.10) and "python
(Python 3.9). This is because some applications work better with one version over the other. If you encounter a
program which fails, open the corresponding script and change "py" to "python" within that instruction (or vice
versa). Unlike Linux and Mac, Windows does not include Python by default, and forcing Python programs to
function through manual installation can be tiresome. This is a "cheat" which may solve your own issues down
the road.
Mac & Windows Hosts 111
Updates
You will need to keep all of these programs updated often. You can either launch the shortcut titled "Updates
or enter the following within Command Prompt as Administrator. The script launches with administrative
privileges by default. /Ml of these commands are also available at the bottom of the "windows.txt" file on my
website, if (when) things change, I will update the information there, and you can apply it to your script.
• choco upgrade all -y
• pip freeze > requirements.txt
• sed -i "s/==/>=/g" requirements.txt
• pip install -r requirements.txt -U -I
• del requirements.txt
• cd %userprofile%\Downloads\Programs
• cd %userprofile%\Downloads\Programs\Osintgram
• git pull https://github.com/Datalux/Osintgram.git
• cd %userprofile%\Downloads\Programs\sherlock
• git pull https://github.com/sherlock-project/sherlock.git
• cd %userprofile%\Downloads\Programs\WhatsMyName
• git pull https://github.com/WebBreacher/WhatsMyName.git
• cd ?oUserprofile%\Downloads\Programs\email2phonenumber
• git pull https://github.com/martinvigo/email2phonenumber.git
• cd %userprofile?o\Downloads\Programs
• wget -N https://github.com/OWASP/Amass/releases/latest
/download/amass_windows_amd64. zip
• unzip -o amass_windows_amd64.zip
• del *.zip
• cd %userprofile%\Downloads\Programs\Photon
• git pull https://github.com/s0md3v/Photon.git
• cd %userprofile%\Downloads\Programs\theHarvester
• git pull https://github.com/laramies/theHarvester.git
• cd %userprofile%\Downloads\Programs\theHarvester
• git pull https://github.com/laramies/theHarvester.git
• cd %userprofile%\Downloads\Programs\Carbonl4
• git pull https://github.com/Lazza/Carbonl4
• cd %userprofile%\Downloads\Programs\sherloq
• git pull https://github.com/GuidoBartoli/sherloq.git
• cd %userprofile%\Downloads\Programs\metagoofil
• git pull https://github.com/opsdisk/metagoofil.git
• cd %userprofile%\Downloads\Programs\recon-ng
• git pull https://github.com/lanmaster53/recon-ng.git
• cd %userprofile%\Downloads\Programs\DownloaderForReddit
• wget -N https://github.com/MalloyDelacroix/DownloaderForReddit/releases
I latest/download/DownloaderForReddit.zip
• unzip -o DownloaderForReddit.zip
• del *.zip
• cd %userprofile?d\Downloads\Programs\spiderfoot
• git pull https://github.com/smicallef/spiderfoot.git
• cd %userprofile%\Downloads\Programs\Elasticsearch-Crawler
• git pull https://github.com/AmIJesse/Elasticsearch-Crawler.git
• cd %userprofile%\Downloads\Programs\ghunt
• git pull https://github.com/mxrch/ghunt.git
112 Chapter 6
Figure 6.03: A final Windows OS1NT build with custom Python tools.
Reverse All Changes (Windows)
Enter the following in a Command Prompt with administrative privileges to reverse your steps.
py -m pip uninstall pip requests aiodns youtube-tool instalooter
Instaloader toutatis nested-lookup internetarchive webscreenshot
readitsfinder socialscan holehe waybackpy gallery-dl xeuledoc bdfr
search-that-hash h8mail -y
cd %userprofile%\Downloads\Programs\Osintgram
py -m pip uninstall -r requirements.txt -y
cd %userprofile%\Downloads\Programs\Sherlock
py -m pip uninstall -r requirements.txt -y
cd %userprofile%\ Down loads \ Programs\WhatsMyName
py -m pip uninstall -r requirements.txt -y
cd %userprofile?o\Downloads\Programs\email2phonenumber
py -m pip uninstall -r requirements.txt -y
cd %userprofile%\Downloads\Programs\Sublist3r
py -m pip uninstall -r requirements.txt -y
cd Suserprofile%\Downloads\Programs\Photon
py -m pip uninstall -r requirements.txt -y
cd %userprofile%\Downloads\Programs\theHarvester
py -m pip uninstall -r requirements.txt -y
cd %userprof ile%\ Downloads\Programs\Carbon 14
python -m pip uninstall -r requirements.txt -y
cd %userprofile%\Downloads\Programs\sherloq\gui
python -m pip uninstall -r requirements.txt -y
cd %userprofile%\Downloads\Programs\metagoofil
py -m pip uninstall -r requirements.txt -y
Mac & Windows Hosts 113
• cd %userprofile%\Downloads\Programs\bulk-downloader-for-reddit
• py -m pip uninstall -r requirements.txt -y
• cd %userprofile%\Downloads\Programs\recon-ng
• py -m pip uninstall -r REQUIREMENTS -y
• cd %userprofile%\Downloads\Programs\spiderfoot
• py -m pip uninstall -r requirements.txt -y
• cd %userprofilepo\Downloads\Programs\ghunt
• py -m pip uninstall -r requirements.txt -y
• cd ?oUserprofile%\Desktop
• del *.lnk
• rmdir /Q /S %userprofile%\Documents\windows-files\
• rmdir /Q /S %userprofile%\Downloads\Programs
• choco uninstall all
• rmdir /Q /S \ProgramData\chocolatey
These commands are at the end of the "windows.txt" file. Your Windows operaiting system should be back the
way it was before replicating the methods in this chapter. There will still be evidenceof these installations within
your standard operating system file structure. However, the applications and all visual clues should now be gone.
The following page presents a summary’ of the custom applications which are now available within y’our Mac
and Windows systems. These are slightly different than the Linux options previously presented. Specifically,
WebScreenShot replaces EyeWitness, and Recon-ng is not available within Windows. Everything else should
function die same as the Linux versions of the scripts. Hopefully, this prevents barriers between y7our OSINT
investigations and the Python scripts which aid our efforts.
Mac & Windows Issues
You will likely encounter undesired issues within your own OS1NT Mac and Windows builds which are not
present within the Linux VM. Most of these will be related to security' or missing dependencies.
In macOSyou may be blocked from opening some utilities installed via Brew. During testing, I
witnessed blockage of "phantomjs” when launching the Internet Archive script. This is because the
e\ e oper o this utility7 has not registered with Apple and paid the fees to be recognized as a "verified"
e\e oper. There is no harm in the software, but Apple warns us they7 "cannot verify that this app is
tree from malware”. I had to open "System Preferences" > "Security7 & Privacy" > "General" and click
unverifi d °r^Cr t0 USC sc”Pt- By the time you read this, other developers may be
In Windows, you may7 receive a warning stating the operating system "prevented an unrecognized app
from nmnmg while executing the batch files. This is because these simple scripts are not registered
wit i icrosoft. Clicking Run Anyway" the first time each script is executed should resolve the issue,
lew er Mac machines with the Apple Ml processor may7 have many7 issues, especially7 with virtualization.
is is ue to the compatibility7 with this chip. I expect to see solutions arise in 2022, but y7ou may
expenence difficulties.
?l*Cati°ns w^n Windows, such as Osintgram, may7 fail due to conflicts within Python 3.9 and
ii e I have modified my7 scripts with redundant steps to resolve most issues, some applications
may per orm poorly. I will continue to proride updates on my7 website.
Overall, neither Mac nor Windows will be able to fully replicate our Linux VM. Windows users
encounter many issues due to Python conflicts alone. Missing dependencies, outdated
programs, i e structure issues, authorization permissions, and coundess other issues might prevent your
esire i T application from performing properly. For these and other reasons, I always prefer a
Linux virtual machine for my investigations. However, don't let the lack of Linux within your arsenal
pro i it y ou rom attempting these Linux features. Create the OSINT environment best for y7our needs.
114 Chapter 6
CHAPTER SEVEN
ANDROID EMULATION
For several years, online researchers have been navigating through various social networking websites for
information about individuals. Whether it was older sites such as Friendster and Myspace, or current networks
such as Twitter and Facebook, we have always flocked to our web browsers to begin extracting data. Times have
changed. Today, an entire generation of social network users rarely touch a traditional computer. They operate
completely from a cellular telephone or tablet. Many of the networks through which individuals engage will only
operate on a mobile device. Services such as Snapchat, Tinder, and Kik do not allow a user to access content
from a traditional web browser. As this shift occurs, investigators must transition with it. Our preparation is not
complete until we have disposable Android environments in place.
This chapter will focus on the huge amount of information available through mobile platforms that is not
accessible through a web browser. I will explain a method of emulating a portable device within a traditional
computer. Before we dive into the nuts and bolts of making things work, we should discuss why emulation is
the way to go. In my investigations, documentation is my primary reason for launching a simulated mobile device
within my computer operating system. If I conducted my investigation on an actual smartphone, documenting
my findings can be difficult. Mobile screen captures only cover a small amount of visible content. Extracting
any captured images can be a hassle. Referencing my findings within a final report can become very tedious.
When using Android emulation within my traditional computer, I can easily create numerous screen captures,
record a video of my entire investigation, and paste my results directly into the report.
Privacy and security are also important reasons to consider emulation versus directly investigating from a
portable device. I have seen many law enforcement investigators conduct a search or use an app directly from
their personal or work phones. This opens that device to scrutiny and discovery. An attorney could rightfully
request a copy of the investigator's phone in order to conduct an independent forensic analysis. That would
make most people nervous. Additionally, if I encounter malicious software or a virus from my portable device,
it could affect all future investigations using that hardware. Emulation will remedy both of these situations.
The idea of Android emulation is to recreate the mobile operating experience within an application on your
computer. This application will execute in the same manner that your web browser, word processor, or email
client would open. It will have the exact same appearance as if you were staring at a telephone or tablet. Any
actions that you take within this emulated device will not affect anything else on your computer. Think of it as
an encapsulated box, and nothing comes in or gets out, very similar to our Linux VM previously explained. A
great feature of emulation is that you can create unlimited virtual devices. You could have one for every
investigation in order to prevent any contamination.
Some readers will question why I chose to explain Android emulation instead of iPhone. The most obvious
reason is the number of options. I will explain software solutions for recreating the Android environment on
your computer. An iPhone simulator will only function on Apple computers and has very limited features. The
Android techniques will work on any major operating system. Additionally, we can create Android virtual
machines that possess all original functionality. An iPhone simulator will not connect to most applications and
features, and provides almost no value to the OSINT investigator.
The previous editions of this book focused heavily on Genymotion as an Android emulator. This cross-platform
software allowed us to easily create virtual Android environments which appeared as magical mobile devices on
our screens. 1 no longer recommend Genymotion as our best initial option, but it will be explained later within
this chapter. The main reason 1 no longer begin with Genymotion is because it is simply no longer needed due
to the availability of other options, which 1 present in a moment.
Android Emulation 115
There are other specific reasons as to why many readers no longer use Genymotion within their investigations
and training. The company has started to make the free version of the application difficult to find and enforces
strict licensing rules which may prohibit usage by some OSINT practitioners. I also find that many mobile
applications block virtual devices built through Genymotion software. This often results in application crashes
immediately upon load. Genymotion also now requires an online account in order to download any software,
and forces users to supply these account details when launching the application. This then sends data about your
usage to their servers, which is not ideal. Fortunately, we can avoid all of these pitfalls by building our own
Android devices directly through VirtualBox without the need for third-party' container software. Furthermore,
we will build our Android devices without the need to enter Google account details. This is another
improvement from the previous edition.
Hopefully, you already have VirtualBox installed and configured. If not, please revisit Chapter Two and return
to this chapter. The remaining text will assume that your installation ofVirtualBox is functioning. Next, we need
an Android image, much like we downloaded a Linux Ubuntu file in order to create a custom OSINT Linux
VM. There are two trusted sources for Android images configured for VirtualBox, as follows.
OS Boxes: https://w’\vw.osboxes.org/android-x86/
Linux VM Images: https://w'ww.linuxvmimages.com/images/android-x86/
I always download the latest version in 64-bit format. At the time of this writing, I downloaded Android-x86
9.0 R2 Pie for VirtualBox. This is the second stable release for the Android 9.0, code named Pie, for 64-bit
computers with VirtualBox. OS Boxes offers builds specifically designed for VMWare if you prefer that
platform. Linux VM Images typically only offer VirtualBox builds. Once you have downloaded your desir
Android image, decompress the file (unzip) and store it somewhere easily accessible. You are now ready to
configure your first virtual device. If dow’nloading a "vdi" file, such as provided from OS Boxes, conduct e
following.
• Open VirtualBox and select "New".
• Provide a name, such as "Android 9.0 VM".
• Provide your desired storage location.
• Choose a "Type" of "Other" and "Version" of "Other/Unknown (64-bit)".
• Click "Continue".
• Choose a memory’ size ofat least 4096 MB (preferably 8192 MB), and click "Continue".
• Select "Use an existing virtual hard disk file" and click the folder icon to the right.
• Click "Add" and select the unzipped "vdi" file which you previously downloaded.
• Click "Open", then "Choose", then click "Create".
• Right-click on the new virtual device and choose "Settings".
• Click "Processor" and choose half of your available processor cores.
• Click "Display" and choose the maximum video memory’.
• Click "OK".
If downloading an "ova" file, such as provided by from Linux VM Images, conduct the following.
• Open VirtualBox and select "File" then "Import Appliance" within the menu.
• Next to "File", click the folder icon to the right.
• Select the "ova" file previously downloaded and decompressed (unzipped).
• Click "Open", then "Continue", then "Import".
• Ifprompted, agree and acknowledge any terms of sendee.
• Right-click on the new virtual device and choose "Settings".
• If desired, rename the device, such as "Android 9.0 VM (OVA)".
• Click "System" and choose a memory size of at least 4096 MB (preferably 8192 MB).
116 Chapter?
• Click "Processor" and choose half of your available processor cores.
• Click "Display" and choose the maximum video memory.
• Click "OK".
Regardless of your download option, you can now double-click your new Android virtual device to launch it
The display window may appear quite small. If you want to enlarge the view, select "View" in the VirtualBox
menu, highlight "Virtual Screen", then choose an expanded view, such as "Scale to 150%". Figure 7.01 displays
the default view of my new Android 9.0 virtual machine. The first thing 1 want to do is modify the appearance
and home screen. I conducted the following.
• Click and hold any undesired home icons and drag up to remove them.
• Click and drag the bottom black bar up to display all applications.
• Click and hold any desired apps to drag to the home screen, such as Chrome and Settings.
• Open the Settings app, choose "Display", and change the "Sleep" to 30 minutes.
• Click the back arrow and select "Security & location".
• Ensure "Screen Lock" is set to "None" and "Location" is set to "On".
• Click the circle in the lower menu to return to the home screen.
Android 9 OVM [OVA) ’fi'.nrr:.’j|
• Google *!
H. \±J
M© ■ __________ J
ZT 0.
& *>- LJ J Left X I
Figure 7.01: A default home screen view of an /Indroid 9.0 virtual machine.
You may have noticed that once you click inside the Android VM, your cursor is stuck within the window. This
makes it seem impossible to return to the other applications within your computer or to close die virtual
machine. The solution is to unlock your cursor with whatever "Host Key" is set for your computer. In Figure
7.01, you can see "Left" followed by the logo for the "command" key within Apple keyboards. This indicates
that pressing the left command key releases my cursor to my host computer. Be sure to note what key is required
on your computer. Most Windows machines default to the right "Ctrl" key.
Android Emulation 117
You should now have a functioning replica of a standard Android device. However, you are missing several
features. While the core Google applications, such as Gmail and the Play Store, are present, there are no useful
applications for OSINT investigations. You could log in to a Google account within this Android device and
download applications through the Play Store, but I present an alternative. I don't like to associate a Google
account with my investigations, so I download my apps anonymously with the following steps.
• Within the /Indroid virtual machine, open the Chrome browser.
• Ifprompted, deselect the option to share analytics data with Google.
• If prompted, deny use of a Google account
• Search "F Droid" within the browser and click the first link.
• Click the "Download F-Droid" button then "Continue" to authorize the download.
• Click "Allow" and "OK" ifprompted, then open F-Droid.
• Click "Settings" to enable the toggle to authorize installation.
• Click the top back arrow, then "Install", then "Open".
• Click the search option in the lower-right and search "aurora store".
• Select the Aurora Store application and click "Install".
• Click "Settings" to enable the toggle to authorize installation.
• Click the top back arrow, then "Install", then "Open".
• Click "Next", then "Ask", then "Allow" to authorize this new app.
• Choose "Anonymous" in order to avoid providing a Google account to download apps.
• Search for "Facebook" and choose the "Install" option.
• Click "Settings" to enable the toggle to authorize installation.
• Click the top back arrow, then "Install", then "Open".
Let's digest these steps. You installed F-Droid which is an open-source package installer for Android. It allowed
us to install Aurora Store which is an anonymous replacement for Google's Play Store. Through Aurora Store,
you installed Facebook to ensure the ability to add apps. You authorized all applications to install additional
apps on your device, which should only be a one-time requirement You can now launch Aurora Store and install
practically any app desired. During this writing, I installed the following apps and moved them to my home
screen.
Facebook Kik Tinder ProtonMail Fake GPS
Messenger TikTok Skout Wire Secure Eraser
WhatsApp Discord Plenty of Fish Wickr
Instagram Viber Meetup Telegram
Twitter TextNow Badoo Twitch
Snapchat Truecaller Tango YouTube
Since we are working with a virtual device on a co_m„.rputer screen, there arc a few nuances which should be
discussed. By default, internet access is gained through your host computer. If you ever find that applications
seem to stop communicating, check and be sure that "Wi-Fi" is enabled. I have experienced unexplained internet
outages which were corrected by re-enabling Wi-Fi under "Settings". The easiest way to turn the device off is to
click the "X" to close the VirtualBox window and then choose "Send the Shutdown Signal". This notifies the
Android device that you wish to shut down and presents the appropriate pop-up menu to the right. From there,
you can select the "Power Off or "Restart" option. If this menu is not presented, you can repeat this process
and choose "Power off the machine" within VirtualBox. Finally, I do not like the default pink wallpaper, so 1
modified my home screen with the following steps.
• Open Chrome within the Android emulator and search ’’Black jpeg" without quotes.
• Open any desired option, such as the image from Wikipedia, and save the image.
• Click and hold anywhere on the home screen and select "Wallpapers".
118 Chapter?
• Choose the "Gallery’" option, select "Downloads" and select the black file.
• Click "Set Wallpaper".
My biggest complaint about any virtual Android environment, including this platform and those within premium
third-party software solutions, is the overall speed and usability. There will always be a lag from the moment
you click an app to the point where entry' can be made. Unlike our previous Linux VMs, increasing our memory
and processor resources does not seem to help with this issue. My only advice is as follows.
• Always boot the /Xndroid device and allow it to perform all updates and automated tasks before
beginning any' investigations.
• An Android device with minimal apps may perform better for specific investigations.
• Do not open numerous apps at once. Focus only on the current task.
• If the devices appear unusually' slow, reboot and begin again.
Figure 7.02 displays my final result. Many of these apps rely' on location data, which is missing from our virtual
device. There is no GPS chip, true Wi-Fi receiver, or cellular tower connection. Therefore, we must "spoof our
location in order to benefit from location-based applications. 1 prefer the application called Fake GPS. Open
the application and follow the prompts to enable "Mock Locations". If die automated process fails, conduct the
following.
• Open "Settings" and navigate to "System" then "About Tablet".
• Click "Build Number" seven times until Developer options are enabled.
• In "Settings" navigate to "System" then "Developer Options".
• Click "Select Mock Location App" and choose "Fake GPS".
• Close settings and open die "Fake GPS" application.
0 Zoom into your desired area and click the "play" icon in the lower-right.
• Open Chrome and navigate to maps.google.com.
• Ensure that Maps believes you are at the spoofed location.
□
■ jo) S
n Bluxli:
ct
m T*k* Vte
□□
p
n*H: MOOT w l»fce U>jo
D 0 EO 131 pa]
w™
f'-cO.Ual
s I® 13 6 SI
►•■r.'Lti-V * ictix |
Figure 7.02: A completed Android virtual device.
Android Emulation 119
After you have your desired location configured and you have confirmed accuracy, you can start to put this
feature to work The following tutorials explain how 1 use various mobile applications within my OSINT
investigations, especially location-aware applications which allow me to spoof my location. This could never be
a complete documentation. Any time you encounter a target using a service which possesses a mobile
application, you should consider installing that app to sec what further details you can obtain about the target's
profile.
Facebook/Mcsscnger/Instagram: The Facebook app on Android will appear similar to a compressed view
of a standard profile page. The benefit of the mobile app is the ability’ to check into places. After launching the
app and logging in for the first time, allow Facebook to access your location (which is spoofed). When you click
the "Check In" option, Facebook will present businesses near your current spoofed location. With my’ test
configuration, Facebook presented the terminals and airlines at the LAX airport. If y’ou choose a location, and
create a post on your timeline, Facebook will verify that you were there. I have used this when I need to portray
that I am somewhere I am not This method can help y’ou establish credibility’ within y’our pseudo profile. You
could easily create the illusion that you were working at a business all day’ or out clubbing all night. I also once
helped a domestic violence victim confuse her ex-husband with this technique. I posted from her Facebook
account accidentally leaving my spoofed location enabled. He stalked her every’ move online. After wasting
his time going to random places trying to find her, and always finding the location to be closed, he began
doubting the information that he uncovered about her whereabouts.
WhatsApp: WhatsApp Messenger is an instant messaging app for smartphones that operates under a
subscription business model. In addition to text messaging, WhatsApp can be used to send images, videos, and
audio media messages to other users. Locations can also be shared through the use of integrated mapping
features. \ ou will need to create an account and provide a telephone number for verification. This number can
be a cellular, landline, or VOIP number. I have had success using free Google Voice and MySudo numbers.
After you have an account, you can communicate direcdy with any’ target using the service. I have found that
several of my targets refuse to converse over traditional text messaging, but freely’ text over WhatsApp. If you
conduct any online covert operations, y’ou should have this set up ahead of time.
Twitter The first time that you use Twitter within your Android environment, you might be asked if you want
to share your location. While I usually’ discourage this type of activity’, sharing y’our spoofed location can have
many’ benefits. Similar to Facebook, you can make y’ourself appear to be somewhere which y’ou are not. You
may want to confuse your target. If you know that he or she will be monitoring your social networks using the
techniques in later chapters, this method should throw them off and be misleading.
Snapchat: For the past few years, I have been unable to connect through the Snapchat app while using
Genymotion. While writing this chapter, I was able to connect through one account but not another. Making
Snapchat work within your emulatorwill be hit or miss. Ifyou plan to communicate with targets direcdy through
the mobile app, spending time testing these connections is justified. If you simply want to search public posts,
we will tackle that via a traditional browser later in the book.
Kik Messenger: Kik is an instant messaging application for mobile devices. It is modeled after BlackBerry s
Messenger and uses a smartphone's data plan or Wi-Fi to transmit and receive messages. It also allows users to
share photos, sketches, mobile webpages, and other content. You must create a free account within the app and
you can then search any username or Kik number. Many users do not share personal details, but you can still
use the app during your investigation for covert communication with a target. I warn you that child exploitation
is prominent on Kik Messenger. Pedophiles have been quoted in news sources stating, "I could go on it now
and probably within 20 minutes have videos, pictures, everything else in between off the app. That's where all
the child porn is coming offof*. In 2014, a parent confiscated her 15-year-old daughter's cellular telephone after
it was discovered that the minor was sending nude photos of herself to an older man at his request. 1 was able
to use my Android emulator to log in as the child; continue conversations with the pedophile; and develop
evidence to be used during prosecution. Documentation was easy with screen captures and screen recording.
120 Chapter?
TikTok: As of October 2020, TikTok surpassed over 2 billion mobile downloads worldwide and established
itself as a dominant social network. While 1 will explain investigation techniques for this network much later in
the book, having the mobile app ready is vital. The TikTok website does not currendy allow native keyword
search, but the mobile app does. Preparation now will provide great benefit later.
TextNow. If you conduct online investigations and communicate with a suspect, it is very' possible that you
may be asked to send or receive a standard SMS text message. Since your virtual device does not possess a
cellular connection, and it is not assigned a telephone number, there are no native opportunities for this activity.
However, you can install TextNow, which allows you to send and receive SMS text messages. With this setup,
you can conduct all of your communications through the virtual device, and preserve the evidence within a
single archive.
Truecaller: A later chapter explains reverse caller ID services and how they can identify subscriber information
associated with telephone numbers. There are several additional services that only support mobile use. Truecaller
is a powerful service which allows search of unlimited cellular and landline numbers in order to identify the
owners. Other options include Mr. Number and Showcaller.
Tinder: This dating app relies on your location in order to recommend people in your area that want to "hook
up". It can use your Facebook account associated with your device or a VOIP telephone number for the login
credentials. The preferences menu will allow you to specify the gender, age range, and distance of the targeted
individuals. Most people use this to identify’ members of their sexual preference within one mile of their current
location. The users can then chat within the app. I have used this to identify whether a target was at home or
another location.
During one investigation, I discovered that my target was a Tinder user. I set my GPS in my Android emulator
to his residence. 1 could then search for men his age within one mile and identify' if he was at home. If I did not
get his profile as a result, 1 could change my GPS to his work address or favorite bar. When I received his profile
in the results, I knew that he was near the spoofed location. I could do all of this from anywhere in the world.
If the app tells you it cannot see your location, you may need to try' another GPS spoofing app.
Badoo/Blendr/Bumble/Skout/Down: These dating apps use various databases of user profiles. They are
similar to Tinder, but some do not require a Facebook account or telephone number. This could be an additional
option for locating a target who uses dating apps. The same method applied to Tinder would work on these
networks. I once used these during a cheating spouse investigation. I connected with a covert female Facebook
profile who was recently accepted as a "friend" with the suspected cheating spouse. Launching the Down app
confirmed that he had an account. Swiping "Down" on his profile alerted him that I wanted to "get down" with
him. This quickly resulted in a very’ incriminating chat that was later used in litigation. In addition to identifying
the location of targeted individuals, these apps could be used to identify people who are currently at a crime
scene or gathering. I once used this technique to simply document people who were present near a state capitol
during a credible bomb threat. When these people denied their presence during interviews, I had data that
disagreed with their statements. Those who were lying quickly recanted their false statements and saved
investigators a large amount of time.
Secure Communications Apps: If you plan to communicate directly with targets of your investigation, you
should be familiar with the popular secure communication preferences. Asking a suspect of a sex trafficking
investigation to text you via cellular telephone number will not be well received. If you possess a secure
ProtonMail email address or Wire encrypted communications username, your request may be honored.
Possessing these apps within your Android environment allows you to contain the evidence within a VM and
protect your host machine. You could also possess multiple accounts through these providers and log in only
after cloning your machine, as explained later.
Secure Eraser As time passes, the size ofyour Android virtual devices will grow. System and app updates alone
will increase the size of your files quickly. Much of this size is unnecessary’. When these virtual machines
Android Emulation 121
1
download new’ data and update the files, the old files remain, and are not usable. Basically, your virtual devices
start to take up a lot of space for no reason. Secure Eraser helps with this. On your original copy, after you have
updated all ofyour software, launch Secure Eraser and change Random to 0000-0000. Click the start button and
allow the process to complete. This will remove all of the deleted files. Restart your machine and then clone or
export the device. The new’ copy will reflect the reduction of file size, but the original will still be large. During
this w’riting, my Android VM grew to 18GB. After completing the eraser process and cloning the device, the
new' VM w'as only 6.5GB, but was identical to the original.
There are many other similar apps. Now that you have an idea ofhow to integrate mobile applications into your
investigations, you can apply the same techniques to the next future wave of popular apps. Many social network
apps have no association with location. This content can still have value to an investigation. Some apps, such as
Kik, only function within a portable device. You cannot load a web browser on a traditional computer and
participate with these networks. However, you can access them from within your Android virtual machine. The
goal within this chapter is simply preparation. While we have not yet discussed specific investigation methods
within these sendees, having a virtual Android device ready now will ease the explanations later.
Genymotion (gcnjTnotion.com/fun-zone)
I previously mentioned that Android devices created directly within VirtualBox are preferred over those
provided through third parties. I stand by those statements, but 1 also respect readers who may prefer other
options. Genymotion may have undesired issues in regard to privacy and licensing, but the product can also be
more beneficial than the previous example. Many readers report that Genymotion Android VMs load faster, feel
smoother, and seem more intuitive. This application-based Android solution is extremely easy to use. It works
with Windows, Mac, and Linux operating systems.
First, you must create a free account online at genymotion.com. This can be all alias information, and the login
will be required in order to fully use the application. After you have created the account and successfully logged
in to the site, navigate to genyTOotion.com/fun-zone and click on the "Download Genymotion Personal
Edition" link. This presents the standard download page for Window’s, Mac, and Linux. If prompted, choose
the version without VirtualBox, as j’ou should alreadj’ have that program installed. Executing the download and
accepting all default installation options will install all of the required files. When the setup process has
completed, you will have a new icon on your desktop tided Genj’motion. This entire process should occur on
your HOST operating system, and not within a virtual machine.
Execute this application and note that an Android virtual machine may already be pre-installed and ready for
launch. Instead ofaccepting this default option, consider creating your own machine in order to learn the process
for future investigations. I recommend deleting this machine by clicking the menu icon to the right of the device
and choosing "Delete". Perform the following instructions in order to create your first custom Android devices.
• In the left menu, expand the "Android API" menu and select the highest number. My option was 10.0
at the time of this writing. On the right, choose the device. I chose "Google Pixel XL" since I have a
high-resolution screen, and then clicked "Add custom device". You may want to choose a device with
a smaller screen for your hardware.
• Rename this device similar to Android 10.0 Original. Change the "Android Version" to the highest
option and click Install". This will download and configure the device for immediate use, and can take
several minutes.
• Launch the new device by double-clicking the new machine present in the Genymotion software. The
machine will load in a new window which should appear similar to the screen of an Android telephone.
Click OK to any feature notifications. Figure 7.03 (left) displays the default view of my home screen.
• Navigate within the Android emulator by single-clicking on icons and using the "Back" icon in the
lower left that appears similar to a left facing arrow.
• Consider the following customizations to improve the look and feel of the device. Figure 7.03 (right)
displays the view of the home screen after these configurations.
122 Chapter?
Drag any app icons up and drop them in the "Remove" option.
Click and hold the bottom of the screen and drag up to view installed applications.
Drag the Settings icon to your home screen and open the app.
Choose "Display", then "Sleep", and select "30 Minutes".
Choose "Security", then "Screen Lock", and choose "None".
Press and hold the main window, select Wallpaper, and change if desired.
Shut down die device and open VirtualBox.
Similar to die VM settings, change the Video Memory to the maximum.
Change the Memory size to half of the system resources.
Relaunch your device from within the Genymotion application.
Fq
Figure 7.03: A default Android (left) and the custom version free of clutter (right).
You should now have a functioning replica of a standard Android device. However, you are missing several
features. The biggest void is the absence of key applications such as Google Play and Gmail. Without core
Google sendees, you cannot download apps to your device as part ofyour investigation tools. This has been the
biggest hurdle with emulation. Consequently, there is finally an official fix, and an alternative option for advanced
users. First, let's try the easy way by using the Genymotion built-in Google features.
• While inside our virtual Android device, click the "Open GzXPPS" icon in the upper right corner. Accept
the agreement and allow Google Apps to install. Select the option to restart die devices.
• Your browser should open to https://opengapps.org/?source=genymotion. Select "ARM64", the
version of the device that vo>iu created (10.0.0), and "Stock". Click the red download option in die lower
right and save the large file to your Desktop. Do NOT open the downloaded zip file.
• Drag-and-Drop the downloaded zip file into your running Android device. zXccept any warnings. You
may receive errors. When complete, close and restart the device.
You should now have the Google Play Store in your applications menu. Launching it should prompt you to
connect to an existing or new Google account. Consider using an anonymous account that is not used for
anything else. 1 do not recommend creating a new account from within this virtual machine because Google will
likely demand a cellular telephone number for verification. 1 prefer to create Google accounts from a traditional
computer before connecting to the virtual zXndroid device. zXfter syncing with an active Google account on your
new device, you should now be able to enter the Google Play Store. You should also now see all core Google
services in your applications menu.
z\ndroid Emulation 123
You can now install any apps within the Play Store. If any apps refuse to install because of an incompatible
device, you could replicate the F-Droid and Aurora Store technique explained in the previous tutorial. The
addition of Google Play will allow you to natively install Android applications as if you were holding a real
telephone or tablet. Launch Google Play and you will be able to search, install, and execute most apps to your
new virtual device. After you install a new program, click on the applications menu. Click and hold the new app
and you will be able to drag it to your home screen. Figure 7.04 (left) displays the screen of my default
investigation emulator. Next, you should understand the features embedded into the Genymotion software.
When you launch an z\ndroid virtual machine, you will see a column on the right side of the window and a row
of icons horizontally on the bottom. The bottom icons are part of the emulated Android system. Clicking the
first icon will navigate you backward one screen from your current location. If you are within an app, this would
take you back one step each time that you press it. The second icon represents the "Home" option and will
always return you to the home screen. The third button is the "Recent Apps" option and it will load a view of
recently opened applications. The icons on the right of the emulator are features of Genymotion and allow you
to control aspects of die Android machine from outside of the emulator. The following page displays this
column of options, which should help explain each of these features. Note that many features are not available
in the free version, but 1 have never found that to be a hindrance to my investigations. Genymotion is quite
clear that ifyou plan on making money by designing an app through their product, you should pay for a license.
Non-commercial usage allows unlimited use of the free personal version.
The GPS option within Genymotion is the most beneficial feature of their toolset. Clicking this icon and clicking
the Off/On switch will execute the location spoofing service. You can cither supplv the exact coordinates
directly or click on the Map" button to select a location via an interactive Google map. Figure 7.04 (middle)
displays the default GPS menu in the disabled state. Figure 7.04 (right) displays coordinates entered. I
recommend changing the altitude, accuracy, and bearing settings to "0". Close this window and you will see a
green check mark in the GPS button to confirm that your location settings are enabled.
90 in* n
ffl © S ^3 w °
’F BO W©
m SOM IM Cm* w
M. Kagma. tMsta MiiknM
few Co«K3 KfS»n iiantm »
e Bearing
I _• ° □ c ■
Figure 7.04: A custom Android emulator home screen with several apps installed into groups (left), disabled
Genymotion GPS menu (middle) and spoofed GPS (right).
124 Chapter?
I GAPPS Indicator: Confirms Google Services arc installed.
art Battery Indicator: It docs not have any impact on your virtual machine.
GPS: Enable and configure the current location reported to the device.
Q Webcam: Use your computer's webcam for live video within an app.
Screen Capture: Not available in the free version.
Remote Control: Not available in the free version.
Identifiers: Not available in the free version.
0* Disk I/O: Not available in the free version.
Network Configuration: Not available in the free version.
Phone: Not available in the free version.
< App Sharing: Not available in the free version.
Volume Up
Volume Down
Screen Rotate: Elip your view into horizontal mode similar to a tablet.
Pixel Configuration: Not available in die free version.
Back Button: Moves back one screen from current app location.
Recent Apps: View rccendy opened applications.
r=i Menu: Simulates the "Menu open" option within an application.
Home: Returns to die Home screen.
o Power: Shuts down the device.
Contact Exploitation
Mobile apps often urge users to invite friends into the app environment. When you first join Twitter, the app
requests access to your contacts in order to connect you with "friends" who are also Twitter users. This is one
of the most reliable wrays which apps can keep you within their ecosystem. As investigators, we can use this to
our advantage. I have found that adding my unknown target's cellular telephone number to the Android phone's
address book will often obtain the following information relative to the target.
Android Emulation 125
• Associated Facebook accounts (name) from the "Find Friends" feature.
• Google Play purchases and reviews (interests) from die Google Play Store.
• Associated Twitter accounts (name) from the "Find Friends" feature.
• WhatsApp usernames and numbers (contact) registered to the cell number.
Basically, entering a target's phone numbers and email addresses into your address book on an Android emulator
forces many apps to believe that you arc friends with the person. It overrides many authority protocols that
would otherwise block you from seeing the connection from the real details to die connected profiles. Figure
7.05 displays a redacted result of one attempt. I launched "Contacts" from within the Android applications and
added a cellular number of a target with any name desired. I then launched Facebook and clicked the "Find
Friends option. Facebook immediately identified an account associated with the number entered.
eFriends Sori
Jean
Figure 7.05: A Facebook "friend" disclosure after adding a cellular number to Contacts.
Let's consider another example using the popular secure messaging program Signal. When 1 downloaded the
Signal app, it wanted me to register a telephone number. 1 chose a Google Voice number and configured the
app. I then added my target s cellular number into my Android contact list and asked Signal to search tor friends.
Signal immediately confirmed that my target was active on Signal. This alone is valuable in regard to behavior,
but not very helpful to establish identity. If I launch a new window to send a message to the number, even if I
do not send the data, I may see a name associated with the account. This would need to be a deliberate act by
the target, but this behavior is common.
Virtual Device Cloning
Similar to the tutorials for cloning Linux virtual machines, we can apply the same process toward our new
Android VM. Similar to the earlier instruction about using a clean virtual machine for even' investigation, you
should consider a new Android virtual device every time to research a target. The steps taken previously may
seem too complicated and laborious to execute every day, so you may want to maintain an original copy and
clone it. The following instructions will clone the exact state of any virtual Android device within VirtualBox,
including devices created within Genymotion.
• Create and customize an Android virtual device as desired. Configure all apps that you want present in
all cloned copies. Optionally, execute the app "Secure Eraser" to eliminate unnecessary hard drive space.
Shut down the machine completely.
• Open VirtualBox from your Applications folder (Mac) or Start menu (Windows). Right-click the
machine that you want to duplicate and select "Clone". Figure 7.06 displays this program with a right
click menu option from an active machine.
• Provide a name for your new machine. This could be "Investigation Original Copy" or "2021-1234".
Choose the options of Full Clone and Current machine state and click the Clone burton. VirtualBox
will create an exact duplicate of the chosen machine in the default folder for VirtualBox machines. You
can identify this folder by right-clicking your new machine and choosing "Show in Finder" (Mac) or
"Show on disk" (Windows).
You can now use this cloned device to conduct your investigation. Any changes made within it will have no
impact on the original device. In fact, I tided my original investigation device "/Xndroid Original 9.0", as seen in
126 Chapter?
Figure 7.06. This way, I know to only open it to apply updates, and never for active investigations. Every time 1
need to use a device to research a target, I quickly clone the original and keep all of my cases isolated.
Android Original 9.0 oo / y Preview
IL- ; J?}’ Powered Off
Hew Settings Start Android Original 9.0
Android 9.0 Caso#2021-1234
L- I O' Powered Off Settings... xs
l9 0
"Jf*. OS1NT Original I (g&ia-
ukl O, Powered Off ► j Paging
Move...
Ubuntu Install (Install) Export to OCI...
Od 6 Powered Off Remove...
Group
Start
Pause
Reset
Close
Figure 7.06: A VirtualBox menu with a clone option in the menu.
Virtual Device Export
You may be asked to provide all digital evidence from your investigation as a matter of discover}’. This couk
happen to a forensic examiner hired in a civil case or law enforcement prosecuting a criminal case. This is the
precise reason that 1 create a new virtual device for all my investigations. Not only is it a clean and fair
environment, it is easy to archive and distribute when complete. The following instructions will generate a large
single file that contains the entire virtual operating system and apps from your investigation.
• Open VirtualBox in the same manner as mentioned previously.
• Select the target virtual device, click on "File" in the menu bar, and select "Export Appliance". Select
the device again and provide the save location and name of the file.
• Click "Export" and allow the process to complete. The final result will consist of a single file that can
be archived to DVD or flash media.
• This file can be imported into VirtualBox by choosing the "Import Appliance" option in the File menu.
This would allow another investigator to view the exact investigation environment as you.
Native Android within VirtualBox and Genymotion are not your only options. Third-party applications such as
BlueStacks (bluestacks.com), Andy (andyroid.net), and NoxPlaycr (bignox.com) all offer the same basic
functionality with added overhead and requirements. After installation, most of these programs work the same
way as VirtualBox. In fact, most of them rely on VirtualBox on the back end. 1 choose VirtualBox over these
because of the ability to easily import and export evidence as a virtual machine. While the others have their own
backup and export options, I find the tutorials presented here to be more transparent and acceptable in court.
1 encourraage you to experiment with all of the options, and choose any that work best for you. I always keep a
native VirtualBox version of Android 9.0 and a Genymotion version of 10.0 available and updated at all times.
At the time of this writing, my Genymotion machine seemed more responsive and functional, but my VirtualBox
devices were more isolated and exempt from licensing complications. Only you can decide the best path for
your investigations, but I encourage you to explore both options.
Overall, I believe the future ofOSINT collection will become more focused on mobile apps that have no website
search option. In order to conduct thorough online investigations, mobile environment emulation is required. 1
highly recommend practicing these techniques with non-essential apps and data. This will better prepare you for
an actual investigation with proper evidence control. Expect frustration as apps block access from within virtual
devices due to fraud. However, the occasional investigation success through virtual /Vndroid environments
justifies all of the headaches encountered along the way.
Android Emulation 127
128 Chapter8
Chapter Eight
Custom Search Tools
From 2010 through 2019,1 offered a set of public free interactive online investigations tools. In June of2019,1
was forced to remove these tools due to abuse and legal demands. However, 1 never agreed to prevent others
from creating their own sets or offering downloadable copies which can be run locally from any computer. In
the previous edition of this book, I offered an offline version of these tools which could be self-hosted and
immune from vague takedown requests. This chapter revisits these tools and offers several enhancements. The
goal of this chapter is to help you create and maintain your own custom search tools which can automate queries
for any investigation. First, let's talk about why this is so important.
I assumed my search tools would be around as long as I maintained my site. I learned the hard way that nothing
lasts forever. We can no longer rely on third-party tools, a theme which 1 have overly-emphasized diroughout
this entire book. Any online search tool outside of your control could disappear any day. That is not the worst
possible outcome. We never truly know what information various online search tools are storing about our
searches and activity. Many aggregated search sites possess numerous tracking cookies and practically all "link
collections" force embedded analytics capturing data about every visitor. Creating and hosting your own tools
eliminate these issues. We still must query sensitive data to a final repository of information, but let's eliminate
the middle-man. 7111 of the tools presented in this chapter, and referenced throughout the book, do not need to
be placed online within a website. You can store them on your computer and launch them without fear of
questionable connections. Let's get started.
First, download a copy of all search tool templates used within the entire book. This can be found at
https://inteltechniques.com/osintbook9/tools.zip. Enter a username of "osint9" and password of
"bookl43wt" (without quotes) if required. Unzip this archive to a destination of your choice. If using the
Linux, Mac, or Windows OS1NT builds which were previously explained, you should already have the necessary
files on your Desktop. 1 always suggest saving them to the Desktop for easy access. However, anywhere should
suffice. Be sure to extract all of the files within the zip file.
This collection reveals a folder tided "Tools" consisting of multiple files within it Technically, you have
everything you need to replicate my once public search tools. However, it is up to you to modify these as needed.
You will eventually want to remove dead sources, add new features, and modify the structures due to changes
at third-party websites. 1 will use my Email Tool as a demonstration. Figure 8.01 displays the current view of
the Email tool. As you can see, there are several individual search options and a "Submit All" feature at the
bottom. Inserting an email address into any of these fields will query that address through the designated option,
or the final field executes a search through all of them. Let's pick apart one of these queries from within the
code. By default, double-clicking on any of the files within the search tool folder opens the selected option
within your default web browser. This is required for any of them to function. In order to edit the files, we must
open them within an HTML editing tool or any text processing application. If you are on a Mac, that could be
TextEdit, Windows users have Notepad, and Linux users have Text Edit. All work fine for our needs. Lately, I
prefer Atom (atom.io), which is a cross-platform free text editor.
Ifyou open the file titled email.search.html within a text editor (File > Open), you will see the code which makes
this document function within a web browser. The following explains each section. Complete understanding of
each term is not required to use and modify your own tools, but these pages may serve as a reference ifyou ever
want to make substantial changes.
<!DOCTYPE htmlxhtml>
This informs a web browser that this is a web page, even if offline, and begins the page.
Custom Search Tools 129
<style>
ul {list-style-type: none;margin: 0;padding: 0;width: 200px;background-color: #f1f1f1;}
li a {display: block;color: #000;padding: 8px 16px;text-decoration: none;}
li aihover {background-color: #555;color: white;}
li a.active {background-color: #303942;color: white;}
li a.grey {background-color: #cdcdcd;color: black;}
li a.blue {background-color: #b4c8da;color: black;}
table td, table td" {vertical-align: top;)</style>
This sets tire style requirements such as colors and sizes of the content within the page. You can experiment
with these settings without risking the function of the tools.
<head>
This informs your browser that the "head" or "header" portion of the page begins now.
<title>Email Search Too!</title>
This represents the title of the page, risible in the browser tab.
</head>
This discloses the end of the "head" or "header" section.
<body>
This informs your browser that the "body" portion of the page begins now.
<table width-TOOO" border="O"xtd width=“200"xtd width="800">
This creates a table within our content and sets the overall width with no border. It then specifies tire width of
tire columns. The data in between identifies the menu items visible on the left of the page, which are considered
tire first column within the table.
<script type="text/javascript">
This identifies the following text as a JavaScript command.
function doPopAII(PopAII)...
This provides instruction to the browser which allows our tools to populate given data to the remaining fields.
It is required for the next option.
<form onsubmit-'doPopAII...
This section creates the "Populate All" button which populates the given data throughout the remaining tools.
Function doSearch01(Search01)
This tells the page we want it to "do" something, and the task is called SearchOl.
{window.open('https://haveibeenpwned.com/unifiedsearch/'+ SearchO1,'SearchO1 window');}
This instructs the page to build a URL, add a piece of data, and open the result in a tab.
130 Chapter 8
</script>
This identifies the end of each script.
<form onsubmit="doSearch01(this.Search01 .value); return false;">
This creates a form to generate the URL, looking for a specific value.
<input type="text" name="SearchO1"" id="Searchor size="30" placeholder="Email Address"/>
This creates a form input identified as SearchOl with "Email Address" populated in the field.
<input type="submit" style="width:120px" value="HIBP Breaches" /xbr /x/form>
This creates the Submit button with specific text inside, inserts a new line, and closes the form.
</tablex/bodyx/html>
This identifies the end of the "table", "body", and "HTML" sections, and closes the page.
This only represents the first search option within this tool, but it is quite powerful. This collects a target email
address and queries the website Have I Been Pwned to identify known data breaches containing this account.
This technique will be explained in more detail later in the Email chapter. This also demonstrates the need for
a search tool versus simply visiting the search site. If you go to haveibeenpwned.com, you can enter an email
address to conduct your search. The new page presented does not include a static URL for that search. The page
with your results still possesses a simplified address of haveibeenpwned.com, and not something static and
similar to haveibeenpwned.com/[email protected]. Bookmarking this page would not present the search results
which you have just achieved. This is why I am using a different static address of
https://haveibeenpwned.eom/unifiedsearch/[email protected]. It presents the same content, but is a text-only
format. Below is another example to explain this.
Conducting the search on the official site presents a graphical output similar to that seen in Figure 8.02.
However, the static address I just mentioned presents a view from the Have I Been Pwned API, as seen in
Figure 8.03. The same data can be found in each offering, but the text view can be copied and pasted more
easily. It also possesses a static URL which can be referenced in your report and recreated later. You may be
wondering where this URL came from. It is not advertised on the site, and is not an official option within the
API (which is now a paid service, but tliis URL is free). That is our next tutorial.
Navigate to haveibeenpwned.com within Firefox and allow the page to load. Conduct the following steps to
identify the exact URL which submits a query to return data about your target.
• Right-click on the page and choose "Inspect Element".
• Click the "Network" tab in the new window at the bottom of the page.
• Type an email address into the website and execute the search.
• Scroll through die new text in the Inspector window at the bottom of the page.
• Click on the result displaying the target email address with "xhr" in the "Cause" column.
• Copy the URL in the window to the right under "Headers" as seen in Figure 8.04.
Custom Search Tools 131
F
IntcITcchniqucs Tools | Email Address K Populate All
Search Engines [Email Address Google i]
Facebook [Email Address Bing
Twitter [Email Address ]1
Instagram Yandex
[Email Address Trumail j
.Email Address Emailrep
[ Email Address Gravatar
Linkcdln i Email Address r_______ HIBP 1
Communities I Email Address
Email Addresses | ■ Email Address 1i Dehashed I
Usernames [ i Email Address
Names Spycloud 1
Telephone Numbers I Email Address J
i Email Address ______ CitOday ]I
[Email Address Cybernews
i Email Address PSBDMP _ ■J
_______ inteIX
LeakedSource
Maps [Email Address I HunterVerify
Documents [Email Address OCCRP_
Pastes [Email Address SearchMyBio
Images [Email Address SpyTox
Videos 1 Email Address
Domains ThatsThem
Email Address
[Email Address Protonmail j
i Email Address DomainData
| Email Address
Whoisology j
AnalyzelD
IP Addresses I Email Address i: Submit All
Business & Government [Email Address (Requires API Key)
; PeopleDataLabs
Figure 8.01: The Email Addresses Tool.
[email protected] j
Oh no — pwned!
Pwned on 82 breached sites and found 52 pastes (subscribe to search sensitive breaches)
Figure 8.02: /\ result from the Have 1 Been Pwned website.
Title: "BiUoinTalk"
Dorjin: "Bitcoin Talk"
BreichDate: "bitcointalk.org"
AddecDatc: "2eis-es-22"
PodifiedOate; "2317-03-27123:45:412"
PwnCount: "2017-83-27723:45:412"
Description: 501407
“In May 2015, the Bitcoin form <a href^\ubttps://b,-M.cryptocoinsne*--s.co=/bitcoin-cxchang^-btc-e-bitcointalk-foru^-
LogaPath: genders, birth dates, security questions and HD5 hashes of their answers plus hashes of the passwords theaselves."
“bt tps://haveibcsnpwncd. cos/Con ten t/Iojgcs/PvnedLcrgos/Blt coinTj Ik. png"
Figure 8.03: A result from the Have I Been Pwned API.
132 Chapter 8
(ED Headers Cookies Params Response Timings Stack Trace
Request URL: https://haveibeenpwned.co3/unifiedsearch/testM0emait.coa
Request method: GET
Remote address: 104.10.173.13:443
Figure 8.04: The static URL from a query as seen in Inspector.
With this method, we can identify the URL structures for our tool. In the example displayed previously, our tool
presented a line of code which included the URL required for the search.
{window.open(lhttps://haveibeenpwned.com/unifiedsearch/' + SearchO! ,'Search01 window1);}
This line instructs the tool to open a new browser window, navigate to the website
https://haveibeenpwned.com/unifiedsearch/, followed by whatever text was entered into the search tool, and
define that new window (or tab) with a unique name in order to prevent another search within our tool from
overwriting the page. This results in our tool opening a new tab with our desired results
(https://haveibeenpwned.eom/unifiedsearch/[email protected]). Let's look at another search option within this
same tool with a slightly different structure.
The Dehashed search option is unique in that it requires quotation marks surrounding the input. In other words,
you must enter "[email protected]" and not simply [email protected]. This requires us to add an additional
character after the target input has been provided. Below is the example for this query. Note that double quotes
(") are inside single quotes 0, which appears quite messy in print. Always rely on the digital files to play with the
actual content.
{window.open(lhttps://dehashed.com/search?query="' + Search05 +'Search05window');}
This line instructs the tool to open a new browser window, navigate to the website
https://dehashed.com/search?query=", followed by whatever text was entered into the search tool, plus another
quotation mark (a single quote, double quote, and another single quote), and define that new window (or tab)
with a unique name in order to prevent another search within our tool from overwriting the page. The lesson
here is that you can add as many parameters as necessary by using the plus (+) character. You will see many
examples of this within the files that you have downloaded. Remember, ever)’ search tool presented in this book
is included in digital format. You only need to modify the options as things change over time.
Let’s assume Dehashed made a change to their search, which appears in the tool as follows.
{window.open('https://dehashed.com/search?query="1 + Search05 +'Search05window’);}
This is because the URL structure of the search is as follows:
https://dehashed.com/search?query="[email protected]"
Assume that Dchashed changed the search structure on their site to the following:
https://dehashed.com/?query="[email protected]"&trial
Your new line within the tool would need to be manipulated as follows:
{window.open(lhttps://dehashed.com/?query=l" + Search05 + *“&trial*, 'Search05window');}
Next, let's assume that you found a brand-new search service which was not included in the downloadable search
tools. You will need to modify the tools to include this new option. Again, we will use the email tool as an
example. Open the "Email.html" file within a text editor. Look through the text and notice that each search
Custom Search Tools 133
script possesses an identifier similar to "SearchOI", "Search02", "Search03", etc. These must each be unique in
order to function. You will notice that the final option (after the Submit All feature) is "Search25". We now
know that our next option should be "Search26". Assume that you found a website at emailleaks.com and you
want to add it to the tools. A query of an email address presents a URL as follows.
https://emailleaks.com/[email protected]
You would next copy the "Searcli24" script and paste it at the end of the tool (before the Submit All feature).
You can then edit the script, which should look like the following, using "Search26" and our new URL.
<script type="text/javascript">
function doSearch26(Search26)
{window.openf’httpsV/emailleaks.com/ajax.phpVquery^ + Search26, 'Search26window');}
</script>
<form onsubmit="doSearch26(this.Search26.value); return false;">
•dnput type="text" name="Search26" "id="Search26" size="30" placeholder="Email Address'7>
<input type="submit" style="width:120px" value="Email Leaks" /xbr /x/form>
All we changed within this copy and paste job was the target URL, the Search26 identifiers, and the descriptor.
You can place this section anywhere within the tools, as it does not need to be at the end. Note it is titled
Search26, so any new options added would need to start with Search27. These numbers do not need to be
sequential throughout the tool, but they must be unique.
Submit All
Many ofthe online search tools offer a "Submit All" button at the bottom of the options. This executes each of
the queries referenced above the button and can be a huge time saver. If you open one of the search tools with
this option in a text editor, you will see the code for this at the bottom. It appears very similar to the other search
options, but there are multiple "window.open" elements such as those listed below.
Window.open(,https://haveibeenpwned.com/unifiedsearch/' + all, 'SearchOI window');
window.open('httpsy/dehashed.com/search?query=' + all, 'Search05window');
In each ofthe tools, I have simply replicated the individual search options within one single "Submit All" feature.
Ifyou modify a search tool within the code next to the manual search, you should also update it under the final
option to execute all queries. If you feel overwhelmed with all of this, do not panic. None of this is required at
this point Your own custom offline search tools are already configured and functioning. If a specific
desired tool stops functioning, you can use this chapter to change your scripts.
You may have noticed that there are several files within the Tools folder. Launching any of these opens that
specific tool, such as "Email.html", but a menu exists within each of the pages in order to navigate within the
tool to the desired page. The file tided "index.html" is the "Main menu", and might be appropriate to set as your
browser’s home page. Clicking on the desired search option within the left side of the menu opens that specific
tool. As an example, clicking on "Twitter" presents numerous Twitter search options. These will each be
explained at the end of each corresponding chapter.
Simplified Modification
I am sure some readers are frustrated at the technology presented here. Some may look at this code and cite
numerous ways it could be made better. I agree this is amateur hour, as I am not a strong HTML coder. Other
readers may be confused at all of this. For those, there are two options which simplify' things. First, ignore diis
entire chapter and simply use the free tools without any modification. Some options will break eventually as sites
come and go, but that should not impact the other fields. Second, don't worry too much about adding new
134 Chapter8
features. Instead, simply replace any searches that stop functioning. If Dehashed shuts down tomorrow, simply
wait for a replacement. When that happens, modify only the URL and name, leaving the structure as-is.
You have a strong start with the current tools template. Very minimal modifications as things break will keep
you in good shape. Any major updates which I perform to my own set of tools will be offered on my site for
download. Check the "Updates" section at the following page.
https://inteltechniques.com/osintbook9
Populate All
You may have noticed that most of the tools have an option to populate all of the fields from a single entry.
This is beneficial as it prevents us from copying and pasting target data within multiple fields. This code, which
was presented earlier, tells your browser to populate anything you place into the first field within every field on
that page which has an ID of "Search" plus any numbers. In other words, it would populate both examples on
the previous page because they have "id=Search25" and id="Search26". Test this within the Email search tool.
Make sure each "id" field is unique, as no two can be the same on one page.
When I need to search a specific target, I do not copy the data into each search field and press the corresponding
button for each service. I place the input directly into the "Populate All'* option and then execute any individual
searches desired. Alternatively, I place my target data into the "Submit /Ml" option and let it go. If using Firefox,
this will fail on the first attempt. This is because you have pop-ups blocked by default, and Firefox is trying to
protect you from multiple new pages loading automatically. The following steps will prevent this.
• Open the Email.html search tool included in your downloaded offline search tools.
• Place any email address in the last option and press the Submit All button.
• A new tab will open, but close it.
• Back in the Email search tool, you should see a yellow banner at the top.
• Click the Preferences button and click the first option to "Allow pop-ups for file".
This will prevent your pop-up blocker from blocking that specific page. You would need to repeat the process
for each of the other tools, such as Twitter, Facebook, etc., which can be quite a burden. If desired, you can
disable the pop-up blocker completely, but that carries risks. You may visit a malicious website which begins
loading new tabs. I do not see this as much as in years past, but the threat does still exist If conducting your
research within a VM, 1 do not see a huge risk in disabling this blocker. If you do, all of the tools will function
without specific modifications to the blocker. Make this decision carefully.
• Click the Firefox menu in the upper right and choose Preferences or Options.
• Click on Privacy & Security and scroll to Permissions.
• If desired, uncheck the "Block pop-up windows" option.
While 1 would never do this on my primary browser used for personal activity on my main computer, I have
disabled the pop-up blocker within my OSINT Original VM (and therefore all clones). It simply saves me
headaches when trying to use automated tools. If only using the single queries within the tool, your pop-up
blocker will not interfere. I highly recommend that you become familiar with these search tools before you rely
on them. Experience how the URLs are formed, and understand how to modify them if needed. Each of these
tools will be explained in the following chapters as we learn all of the functions.
License & Warranty
These tools are released to you for free. Full details of allowances and restrictions can be found in the
"License.txt" file and "License" link within the tools download. The tools are provided "as is", without warranty
Custom Search Tools 135
of any kind. Please follow my blog or Twitter account for any updates. Ultimately, it is your responsibility to
update your tools as desired as things change after publication. The torch has been passed.
Easy Access
Regardless of where you save your set of tools, I highly recommend that you create a bookmark within your
browser for easy access. I prefer them to be within my bookmarks toolbar so that they are always one click away.
Navigate to your search tools. If using the Linux, Mac, or Windows OSINT machines, they are in the Tools
folder on your desktop. Double-click the file titled "Search.html" and it should open within your default browser,
preferably Firefox. If the page opens in Chrome or another browser, open Firefox and use the file menu to
select "Open File" and browse to the "Search.html" file. After the page loads, create a bookmark. In Linux and
Windows, press "Ctrl" + "D" ("command" + "D" on Mac). When prompted, provide a name of "Tools" and
save the page in the folder tided "Bookmarks Toolbar". You should now see a new bookmark in your browsers
toolbar tided "Tools". If your Bookmarks Toolbar is not visible, click on "View", then "Toolbars", then "View
Bookmarks Toolbar". You can now click this new button within your toolbar at any time and immediately load
the Search Engines tool. Clicking through the other options in the left menu o< f that pawge should present all
other search tool pages. I use this shortcut to launch my tools daily.
Online Version
Finally, I present an additional option for accessing these tools. I will keep a live copy on my website within the
secure resources area for this book at the following address.
https://inteltechniques.com/osintbook9/tools
Navigating to this page should present an interactive version of all tools. As I modify my own pages, this live
collection will be updated. After signing in with the username and password previously presented (osint9 /
bookl43wt), you can execute queries here without the need to download your own tools. I see none of your
search activity and query data is never stored on my server. I offer this only as a convenience to readers, and I
still prefer the offline option for several reasons. First, the live tools could disappear at any time due to another
takedown demand. Next, you cannot modify my live online version as you can your own copy. Finally, you must
rely on my site being available during your investigations. The offline version is available on your desktop at any
time. Please use these responsibly. 1 suspect the live version may need to be removed some day due to abuse,
but I am optimistic that we can use this valuable resource for our daily investigations until then.
136 Chapter8
Section II
OSINT Resources & Techniques
Some may consider this section to be the "guts" of the book. It contains the OSINT tips, tricks, and techniques
which I have taught over the past twenty' years. Each chapter was rewritten and confirmed accurate in December
2020. All outdated content was removed, many techniques were updated, and numerous new resources were
added. The first four editions of this book only consisted of this section. Only recently have I adopted the
preceding preparation section and the methodology topics toward the end. OSINT seems to have become a
much more complex industry over the years. It is exciting to watch the community' grow and 1 am honored to
play an extremely small role.
This section is split into several chapters, and each explains a common type oftarget investigation. I have isolated
specific topics such as email addresses, usernames, social networks, and telephone numbers. Each chapter
provides every valuable resource and technique which I have found beneficial toward my own investigations.
No book could ever include even’ possible resource, as many tools become redundant after a superior version
has been identified. I do my best to limit the "noise" and simply present the most robust options for each
scenario. This section should serve as a reference when you encounter a specific need within your own
investigations.
Covert Accounts
Before proceeding with any of the investigation methods here, it is important to discuss covert accounts, also
referred to by some as "Sock Puppets". Covert accounts are online profiles which are not associated with your
true identify. Many social networks, such as Facebook and Instagram, now require you to be logged in to an
account before any queries can be conducted. Using your true personal account could reveal your identity as an
investigator to the target. Covert accounts on all of the social networks mentioned here are free and can be
completed using fictitious information. However, some networks will make this task more difficult than others.
Google, Facebook, Twitter, Instagram, and Yahoo are known to make you jump through hoops before you are
granted access. We begin this chapter discussing ways around this.
Email: It is vital that you possess a "clean" email address for your covert accounts. Every social network requires
an email address as a part of account registration, and you should never use an already established personal
address. Later chapters explain methods for researching the owners behind email addresses, and those
techniques can be applied to you and your own accounts. Therefore, consider starting fresh with a brand-new
email account dedicated toward use for covert profiles.
The choice of email provider is key here. I do not recommend GMX, ProtonMail, Yahoo, Gmail, MSN, or any
other extremely popular providers. These are heavily used by spammers and scammers, and are therefore more
scrutinized than smaller providers. My preference is to create a free email account at Fastmail
(https://ref.fm/ul4547153). This established mail provider is unique in two ways. First, they are one of the only
remaining providers which do not require a pre-existing email address in order to obtain a new address. This
means that there will be no connection from your new covert account to any personal accounts. Second, they
are fairly off-radar" from big sendees such as Facebook, and are not scrutinized for malicious activity.
Fastmail will provide anyone unlimited free accounts on a 30-day trial. I suggest choosing an email address that
ends in fastmail.us instead of fastmail.com, as that domain is less used than their official address. This is a choice
during account creation. Once you have your new email address activated, you are ready to create covert profiles.
Note that the free trial terminates your access to this email account in 30 days, so this may not be best for long
term investigations. Personally, 1 possess a paid account which allows me 250 permanent alias email addresses.
OSINT Resources & Techniques 137
• Facebook: This is by far the most difficult in terms of new account creation. For most new users,
Facebook will require you to provide a cellular telephone number where a verification text can be sent
and confirmed. Providing VOIP numbers such as a Google Voice account will not work anymore. I
have found only one solution. Turn off any VPN, Tor Browser, or other IP address masking service
and connect from a residential or business internet connection. Make sure you have cleared out all of
your internet cache and logged out ofany accounts. Instead ofcreating a new account on facebook.com,
navigate directly to rn.facebook.com. This is the mobile version of their site which is more forgiving on
new accounts. During account creation, provide the Fastmail email address that you created previously.
In most situations, you should bypass the requirement to provide a cellular number. If this method
failed, there is something about your computer or connection that is making Facebook unhappy.
Persistence will always equal success eventually. I find public library Wi-Fi our best internet option
during account creation. Instagram is similar to (and owned by) Facebook. Expect the same scrutiny.
• Twitter Many of the Twitter techniques presented later will not require an account. However, the
third-part}- solutions will mandate that you be logged in to Twitter when using them. I highly
recommend possessing a covert account before proceeding. As long as you provide a legitimate email
address from a residential or business internet connection, you should have no issues. You may get
away with using a VPN to create an account, but not always.
• Google/Gmail/Voice: While Google has become more aggressive at refusing suspicious account
registrations, they are still very achievable. As with the previous methods, Google will likely block any
new accounts that are created over Tor or a VPN. Providing your Fastmail address as an alternative
form ofcontact during the account creation process usually satisfies their need to validate your request.
I have also found that they seem more accommodating during account creation if you are connected
through a Chrome browser versus a privacy-customized Firefox browser (Google owns Chrome).
• Network: 1 always prefer to conduct online investigations behind a VPN, but this can be tricky.
Creating accounts through a VPN often alerts the service ofyour suspicious behavior. Creating accounts
from public Wi-Fi, such as a local library’ or coffee shop, are typically less scrutinized. A day after
creation from open Wi-Fi, I attempt to access while behind a VPN. I then consistendy select the same
VPN company and general location upon every’ usage of the profile. This builds a pattern of my network
and location, which helps maintain access to the account.
• Phone Number: The moment any service finds your new account to be suspicious, it will prompt you
for a valid telephone number. Landlines and VOIP numbers are blocked, and they' will demand a true
cellular number. Today, I keep a supply of Mint Mobile SIM cards, which can be purchased for S0.99
from Amazon (https://amzn.to/2MRbGTI). Each card includes a telephone number with a one-week
free trial. I activate the SIM card through an old Android phone, select a phone number, and use that
number to open accounts across all of the major networks. As soon as the account is active, I change
the telephone number to a VOIP option and secure the account with two-factor authentication (2FA).
• 2FA: Once 1 have an account created, I immediately’ activate any’ two-factor authentication options.
These are secondary’ security settings which require a text message or software token (Authy’) in order
to access the account. Typically, this behavior tells the service that you are a real person behind the
account, and not an automated bot using the profile for malicious reasons.
• Activity: After the account is created and secured, it is important to remain active. If you create a new
account and allow it to sit dormant for months, it is likely’ to be suspended the moment y'ou log back in
to the account. If you access the account weekly, it is less likely to be blocked.
You may’ assume that you can use your personal social network accounts to search for information. While this
is possible, it is risky’. Some services may never indicate to the target that y’our specific profile was used for
searching. Others, such as Facebook, will eventually notify the target that you have an interest in him, usually' in
the form of friend recommendations. On any service, you are always one accidental click away from sending a
friend request from your real account to the suspect For these reasons, I never use a personal social network
profile during any' investigation. I maintain multiple covert accounts. The topic ofundercover operations quickly’
exceeds the scope of this book. For our purposes, we simply need to be logged in to valid accounts in order to
pacify the social networks. I will assume that you now have some accounts created. Let's dig in to online search.
138 Section II
Profile Content
Possession ofan empty profile on a social network may suffice for your investigations. However, lack ofpersonal
details might appear suspicious to both the provider and your target. Facebook is well known for suspending
accounts which do not contain personal information, and your targets may conduct their own OSINT research
into your publicly available details after you begin the hunt. For most scenarios, 1 believe you should populate a
minimum amount of fake details into your covert profiles. You should never provide anything which may be
associated with your true identity, such as interests, occupation, or location. Because of this, 1 rely heavily on
randomly-generated and Al-produced content. The resources below have helped me within my own profile
creation. Consider your own needs and employer policies before proceeding with your accounts.
Images: You may want a headshot within your profile which adds a layer of authenticity to your new covert
account. This can also eliminate scrutiny from Facebook and Twitter when their algorithms suspect your profile
to be fraudulent. I recommend This Person Does Not Exist (thispersondocsnotexist.com). This site generates
a very realistic image of a "person", which is entirely generated by computers. The image you see is not a real
person and should not be visible anywhere else online. Refreshing the page generates a new image. If you find
this beneficial, I encourage you to generate numerous images for future use in the event the site should disappear.
Name and Background: It may be easy to create your own alias name, but could you quickly generate a maiden
name, birthday, birthplace, zodiac sign, username, password, religion, and political view? This is where sen-ices
such as ElfQrin (elfqrin.com/fakeid.php) and Fake Name Generator (fakenamegenerator.com) can be
beneficial. The example below was created instantly with these services.
Resume: If you want to add another layer of realism to your new online identity, you might consider posting a
resume online. If your target begins investigating your profile and finds the resume, you may appear to be a real
person. I find Almost Real Resume (fake.jsonresume.org) best for this purpose. It will generate artificial
employment history', education, and interests.
Physical Space: Finally, you might consider This Rental Does Not Exist (thisrentaldoesnotexist.com). It uses
the same artificial intelligence technology as This Person Does Not Exist to generate fake interior views of a
home. These artificial images are intended to emulate a rental home or Air BNB profile, but they could be used
if you ever need to post pictures 'of your ’’home".
First name Ella
Middle name Theresa
Last name Bowman
Mother’s Maiden name Sutton
Birthday November, 07 1998 (Age: 23 years)
Birthplace Walnut Creek, CA, USz\
Zodiacal sign Scorpio
User name boc431
Password f2b4qawha
Address 101 Maryland Ave Ne, Washington, DC 20002
Car Wrangler
Hair color Black (BLK) Political side Independent
Favorite Color Purple
Eyes color Brown (BRO) Favorite Comfort Food Chocolate
Favorite Cereal Raisin Bran
Height 166 cm / 5 ft 5 in Favorite Season Spring
Favorite Animal Elephant
W eight 56 Kg / 123 pounds Lucky Number 2
Shoe Size 7.5
Blood Type B+
ReligionJ ehovah's Witnesses
OSINT Resources & Techniques 139
140 Chapter 9
Chapter Nine
Search Engines
The first stop for many researchers will be a popular search engine. The two big players in the United States are
Google and Bing. This chapter will go into great detail about the advanced ways to use both and others. Most
of these techniques can apply to any search engine, but many examples will be specific for these two. Much of
this chapter is unchanged from the 7,h edition.
Google (google.com)
There are entire books dedicated to Google searching and Google hacking. Most of these focus on penetration
testing and securing computer networks. These are full of great information, but are often overkill for the
investigator looking for quick personal information. A few simple rules can help locate more accurate data. No
book in existence will replace practicing these techniques in a live web browser. When searching, you cannot
break anything. Play around and get familiar with the advanced options.
Quotation Marks
Placing a target name inside ofquotation marks will make a huge difference in a quick first look for information.
IfI conducted a search for my name without quotes, the result is 147,000 pages that include the words "Michael"
and "Bazzell". These pages do not necessarily have these words right next to each other. The word "Michael"
could be next to another person’s name, while "Bazzell" could be next to yet another person's name. These
results can provide inaccurate information. They may include a reference to "Michael Santo" and "Barty Bazzell",
but not my name. Since technically the words "Michael" and "Bazzell" appear on the page, you are stuck with
the result in your list. In order to prevent this, you should always use quotes around die name of your target.
Searching for the term "Michael Bazzell", including the quotes, reduces the search results to 31,800.
Each of these pages will contain the words "Michael" and "Bazzell" right next to each other. While Google and
other search engines have technology in place to search related names, this is not always perfect, and does not
apply to searches with quotes. For example, the search for "Michael Bazzell", without quotes, located pages that
reference Mike Bazzell (instead of Michael). This same search with quotes did not locate these results. Placing
quotes around any search terms tells Google to search exactly what you tell it to search. If your target's name is
"Michael", you may want to consider an additional search for "Mike". If a quoted search returns nothing, or few
results, you should remove the quotes and search again.
When your quoted search, such as "Michael Bazzell”, returns too many results, you should add to your search.
When I add the term "FBI" after my name, the results reduce from 31,800 to 12,000. These results all contain
pages that have the words "Michael" and "Bazzell" next to each other, and include the term "FBI" somewhere
on the page. While all of these results may not be about me, the majority will be and can be easily digested.
Adding the occupation, residence city, general interest, or college of the target may help eliminate unrelated
results. This search technique can be vital when searching email addresses or usernames. When searching the
email address of "[email protected]", without quotes, 1 receive 14,200 results. When 1 search
"[email protected]" with quotes, I receive only 7 results diat actually contain that email address
(which does not reach my inbox).
Search Operators
Most search engines allow the use of commands within the search field. These commands are not actually part
of the search terms and are referred to as operators. There are two parts to most operator searches, and each
are separated by a colon. To the left of the colon is the type of operator, such as "site" (website) or "ext" (file
Search Engines 141
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Home
Explore
Open Source Intelligence Techniques Resources for Searching and Analyzing Online Information
View in Fullscreen
Open Source Intelligence Techniques Resources for Searching and Analyzing Online Information (Michael Bazzell) (z-lib.org)
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Open Source Intelligence Techniques Resources for Searching and Analyzing Online Information
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 526
Pages: